Christopher L. Everett
2002-Mar-21 14:14 UTC
[Shorewall-users] Three interface firewall setup
I have a firewall with 3 IF''s: zone description IP Addr Range ---- --------------------------------------------- ------------- loc the office LAN 10.0.0.0/24 net the Internet w.x.y.z dmz not really a DMZ, more like a private network that my servers use to communicate w/ each other for DB replication, etc 10.0.1.0/24 I have the office LAN masqueraded onto the Internet, but I also want free acccess to the dmz for ssh, web access, etc. I''m alos going to have back-end database and application server in there which I won''t have connected directly to the Internet that I want to administer from my office LAN. What strategy should I adopt? Christopher Everett Chief Technology Officer Physicians Employment on the Internet The Medical Banner Exchange
Christopher, I''m not sure what you are asking for here -- sounds like a pretty straight-forward three-zone setup. -Tom ----- Original Message ----- From: "Christopher L. Everett" <ceverett@ceverett.com> To: <shorewall-users@shorewall.net> Sent: Thursday, March 21, 2002 6:14 AM Subject: [Shorewall-users] Three interface firewall setup> I have a firewall with 3 IF''s: > > zone > description > IP Addr Range > ---- > --------------------------------------------- > ------------- > loc > the office LAN 10.0.0.0/24 > net > the Internet > w.x.y.z > dmz > not really a DMZ, more like a private network > that my servers use to communicate w/ each > other for DB replication, etc 10.0.1.0/24 > > I have the office LAN masqueraded onto the Internet, but I also wantop > free acccess to the dmz for ssh, web access, etc. I''m alos going to > have back-end database and application server in there which I won''t > have connected directly to the Internet that I want to administer from > my office LAN. > > What strategy should I adopt? > > Christopher Everett > Chief Technology Officer > Physicians Employment on the Internet > The Medical Banner Exchange > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
----- Original Message ----- From: "Christopher L. Everett" <ceverett@ceverett.com> To: <shorewall-users@shorewall.net> Sent: Friday, March 22, 2002 11:24 AM Subject: Re: [Shorewall-users] Three interface firewall setup> Tom Eastep wrote: > > Christopher, > > > > I''m not sure what you are asking for here -- sounds like a pretty > > straight-forward three-zone setup. > > > So, I can pretty much use the same 3 zone setup as n www.shorewall.net > as a template, simply removing the proxy-arp section (because my boxen > in the DMZ without a direct Internet connection are not supposed to be > visible to the Internet)?Just remove the masquerade entry for the DMZ from /etc/shorewall/masq. -Tom
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Christopher L. Everett" <ceverett@ceverett.com>; <shorewall-users@shorewall.net> Sent: Thursday, March 21, 2002 12:26 PM Subject: Re: [Shorewall-users] Three interface firewall setup> > > > > So, I can pretty much use the same 3 zone setup as n www.shorewall.net > > as a template, simply removing the proxy-arp section (because my boxen > > in the DMZ without a direct Internet connection are not supposed to be > > visible to the Internet)? > > Just remove the masquerade entry for the DMZ from /etc/shorewall/masq. >Let me violate netiquette here and respond to my own post. As the documentation points out, the parameterized samples are what they are -- if they don''t fit your situation then for you to use Shorewall, you will need to understand how it is configured without the aid of the training wheels. The samples were designed to allow you to get a firewall working in one of three common environments in the shortest possible time; to do that, the scripts hide most of the power and flexibility of Shorewall itself. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
There''s so much one needs to learn about networking before attempting to install a firewall and it''s tempting to try shortcuts rather than read the documentation, and google all the cross tracks. I plead guilty. But, I also see that quite a few questions can easily be answered by the documentation that''s provided. I''ve been hesitant to point that out because of my novice status, but I''m going to try to help in that regard more. Tom has been more than generous with his structural concepts for firewall description, with his code to implement those insights, and with his steady answers to questions on the list. Perhaps we can all chip in when we see a question that is covered in the documentation or the examples with a chorus of RTM - read the manual. Tom, if you can, sit back a little bit and let others have the first crack at the question. When we all fail to come up with an acceptable answer, then give us the straight scoop! Thanks for your great work and your patience! -- Sincerely, David Smead http://www.amplepower.com. On Thu, 21 Mar 2002, Tom Eastep wrote:> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Christopher L. Everett" <ceverett@ceverett.com>; > <shorewall-users@shorewall.net> > Sent: Thursday, March 21, 2002 12:26 PM > Subject: Re: [Shorewall-users] Three interface firewall setup > > > > > > > > > So, I can pretty much use the same 3 zone setup as n www.shorewall.net > > > as a template, simply removing the proxy-arp section (because my boxen > > > in the DMZ without a direct Internet connection are not supposed to be > > > visible to the Internet)? > > > > Just remove the masquerade entry for the DMZ from /etc/shorewall/masq. > > > > Let me violate netiquette here and respond to my own post. As the > documentation points out, the parameterized samples are what they are -- if > they don''t fit your situation then for you to use Shorewall, you will need > to understand how it is configured without the aid of the training wheels. > The samples were designed to allow you to get a firewall working in one of > three common environments in the shortest possible time; to do that, the > scripts hide most of the power and flexibility of Shorewall itself. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Christopher L. Everett
2002-Mar-22 19:24 UTC
[Shorewall-users] Three interface firewall setup
Tom Eastep wrote:> Christopher, > > I''m not sure what you are asking for here -- sounds like a pretty > straight-forward three-zone setup. >So, I can pretty much use the same 3 zone setup as n www.shorewall.net as a template, simply removing the proxy-arp section (because my boxen in the DMZ without a direct Internet connection are not supposed to be visible to the Internet)? Christopher Everett Chief Technology Officer Healthcare Careers Publishing
Hello David, I apologize for not replying sooner but I wanted to take extra time with my response to your post. ----- Original Message ----- From: "David Smead" <smead@amplepower.com> To: <shorewall-users@shorewall.net> Sent: Thursday, March 21, 2002 9:28 PM Subject: Re: [Shorewall-users] Three interface firewall setup> There''s so much one needs to learn about networking before attempting to > install a firewall and it''s tempting to try shortcuts rather than read the > documentation, and google all the cross tracks. I plead guilty. >I think we''re all guilty of that at times. I''ve tried to install packages without an idea in H**l about what I was doing. I always have to force myself to print and read the documentation away from my systems (if I read installation instructions while sitting at a keyboard, I start installing/configuring before I''m done reading).> But, I also see that quite a few questions can easily be answered by the > documentation that''s provided. I''ve been hesitant to point that out > because of my novice status, but I''m going to try to help in that regard > more.I''m glad that you mention the documentation. I have a lot more effort invested in the Documentation/Website than I do in the code itself; it''s always good to hear when someone finds it useful. I also welcome suggestions about how to make it better.> > Tom has been more than generous with his structural concepts for firewall > description, with his code to implement those insights, and with his > steady answers to questions on the list. Perhaps we can all chip in when > we see a question that is covered in the documentation or the examples > with a chorus of RTM - read the manual.I always welcome help with responding to posts on the list.> > Tom, if you can, sit back a little bit and let others have the first crack > at the question. When we all fail to come up with an acceptable answer, > then give us the straight scoop!I''ll try :-) Although I''ve had a long and successful career as a software designer, I''m basically a teacher at heart (if someone offered me a teaching post, I''d probably accept in a minute); I enjoy helping people to learn and do new things... Thanks again, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net