Ronald Wiplinger
2002-Sep-05 01:58 UTC
[Shorewall-users] Simple setup and more complexe setup needed
I need to figure out how to setup easy two different firewall concepts: a. simple one: Internet routes (example) 200.200.200.96/27 to our site (32 IP) The server (firewall) should get as external interface *.97, and as internal interface 192.168.1.254/24 User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, (telnet), some special ports for VoIP. The remaining addresses should go through the firewall without any rules! They will just be monitored for bandwidth usage. b. complexe setup: Internet-1 connection routes (example) 200.200.200.80/29 to our site (8 IP) (eth0) Internet-2 connection routes (example) 100.100.100.100/32 to our site (1 IP) (eth1) Internal ethernet card eth2 is for testing Internal ethernet card eth3 is our internal LAN with 192.168.200.254/24 User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, (telnet), some special ports for VoIP. Zebra should be used with a private AS number and BGP-4 to find the right routing !!! ----- b. continued wishes This network has also a /64 IPv6 addresses, which are not used by the firewall. Internal there should be now SEVERAL WEB & mail servers, which will be reachable either by IPv6 directly (no firewall or with iptables6) If somebody comes from the Internet asking for www.abc-v6.com (IPv6) than he comes directly to the assigned machine. If somebody comes from the Internet asking for www.abc-v4.com (IPv4) than he comes to the firewall machine only, and HERE we need than a translation to an IPv6 and connect to the right IPv6 machine. Any suggestions for doing that. (LINUX !!!!) bye Ronald -- Ronald Wiplinger, Technical Director Bright Networking Inc, http://www.2bright.net 7F, 192-1, Sec. 3, Tatung Rd., Shijr City, Taipei, Taiwan, RoC Tel.: +886 2 8647-1685, Mobile +886 915 653-452, Fax: +886 2 8647-2002
Tom Eastep
2002-Sep-11 14:38 UTC
[Shorewall-users] Simple setup and more complexe setup needed
On Wednesday 04 September 2002 06:58 pm, Ronald Wiplinger wrote:> I need to figure out how to setup easy two different firewall concepts: > > a. simple one: > > Internet routes (example) 200.200.200.96/27 to our site (32 IP) > The server (firewall) should get as external interface *.97, and as > internal interface 192.168.1.254/24 > User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, > (telnet), some special ports for VoIP. > > The remaining addresses should go through the firewall without any > rules! They will just be monitored for bandwidth usage.Ok -- what specific questions do you have?> > > b. complexe setup: > > Internet-1 connection routes (example) 200.200.200.80/29 to our site (8 > IP) (eth0) > Internet-2 connection routes (example) 100.100.100.100/32 to our site (1 > IP) (eth1) > > Internal ethernet card eth2 is for testing > Internal ethernet card eth3 is our internal LAN with 192.168.200.254/24 > > User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, > (telnet), some special ports for VoIP. > > Zebra should be used with a private AS number and BGP-4 to find the > right routing !!!For this case, I suggest that you look at the Linux Advanced Routing and Traffic Control Howto -- (http://ds9a.nl/lartc). It will show you how to set up two default routes (one through each ISP).> > > ----- > > b. continued wishes > > This network has also a /64 IPv6 addresses, which are not used by the > firewall. > Internal there should be now SEVERAL WEB & mail servers, which will be > reachable either by IPv6 directly (no firewall or with iptables6) > > If somebody comes from the Internet asking for www.abc-v6.com (IPv6) > than he comes directly to the assigned machine. > If somebody comes from the Internet asking for www.abc-v4.com (IPv4) > than he comes to the firewall machine only, and HERE we need than a > translation to an IPv6 and connect to the right IPv6 machine. > > > Any suggestions for doing that. (LINUX !!!!) >The IPV6 question has been addressed in a recent separate thread -- check the archives. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net