Shorewall users - Sep 2002 - Simple setup and more complexe setup needed

I need to figure out how to setup easy two different firewall concepts:

a. simple one:

Internet  routes (example) 200.200.200.96/27 to our site (32 IP)
The server (firewall) should get as external interface *.97, and as 
internal interface 192.168.1.254/24
User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, 
(telnet), some special ports for VoIP.

The remaining addresses should go through the firewall without any 
rules! They will just be monitored for bandwidth usage.


b. complexe setup:

Internet-1 connection routes (example) 200.200.200.80/29 to our site (8 
IP)  (eth0)
Internet-2 connection routes (example) 100.100.100.100/32 to our site (1 
IP) (eth1)

Internal ethernet card eth2 is for testing
Internal ethernet card eth3 is our internal LAN with 192.168.200.254/24

User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp, 
(telnet), some special ports for VoIP.

Zebra should be used with a private AS number and BGP-4 to find the 
right routing !!!


-----

b. continued wishes

This network has also a /64 IPv6 addresses, which are not used by the 
firewall.
Internal there should be now SEVERAL WEB & mail servers, which will be 
reachable either by IPv6 directly (no firewall or with iptables6)

If somebody comes from the Internet asking for www.abc-v6.com (IPv6) 
than he comes directly to the assigned machine.
If somebody comes from the Internet asking for www.abc-v4.com (IPv4) 
than he comes to the firewall machine only, and HERE we need than a 
translation to an IPv6 and connect to the right IPv6 machine.


Any suggestions for doing that. (LINUX !!!!)


bye

Ronald






-- 

 
Ronald  Wiplinger, Technical Director
Bright Networking Inc, http://www.2bright.net
7F, 192-1, Sec. 3, Tatung Rd., Shijr City, Taipei, Taiwan, RoC
Tel.: +886 2 8647-1685, Mobile +886 915 653-452, Fax: +886 2 8647-2002

On Wednesday 04 September 2002 06:58 pm, Ronald Wiplinger
wrote:
> I need to figure out how to setup easy two different firewall concepts:
>
> a. simple one:
>
> Internet  routes (example) 200.200.200.96/27 to our site (32 IP)
> The server (firewall) should get as external interface *.97, and as
> internal interface 192.168.1.254/24
> User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp,
> (telnet), some special ports for VoIP.
>
> The remaining addresses should go through the firewall without any
> rules! They will just be monitored for bandwidth usage.
Ok -- what specific questions do you have? 
>
>
> b. complexe setup:
>
> Internet-1 connection routes (example) 200.200.200.80/29 to our site (8
> IP)  (eth0)
> Internet-2 connection routes (example) 100.100.100.100/32 to our site (1
> IP) (eth1)
>
> Internal ethernet card eth2 is for testing
> Internal ethernet card eth3 is our internal LAN with 192.168.200.254/24
>
> User want to use http, https, ICQ, smtp, pop3, ftp, ssh, scp, sftp,
> (telnet), some special ports for VoIP.
>
> Zebra should be used with a private AS number and BGP-4 to find the
> right routing !!!
For this case, I suggest that you look at the Linux Advanced Routing and 
Traffic Control Howto -- (http://ds9a.nl/lartc). It will show you how to set 
up two default routes (one through each ISP).
>
>
> -----
>
> b. continued wishes
>
> This network has also a /64 IPv6 addresses, which are not used by the
> firewall.
> Internal there should be now SEVERAL WEB & mail servers, which will be
> reachable either by IPv6 directly (no firewall or with iptables6)
>
> If somebody comes from the Internet asking for www.abc-v6.com (IPv6)
> than he comes directly to the assigned machine.
> If somebody comes from the Internet asking for www.abc-v4.com (IPv4)
> than he comes to the firewall machine only, and HERE we need than a
> translation to an IPv6 and connect to the right IPv6 machine.
>
>
> Any suggestions for doing that. (LINUX !!!!)
>
The IPV6 question has been addressed in a recent separate thread -- check the 
archives.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net