Shorewall users - Sep 2002 - Multiple computers on external side of the network

My setup is that I have a whole /24 subnet to myself (or my company rather) 
and I want all of the internal machines to have the same addresses inside 
as outside (i don''t like nat, it causes too many headaches for things
like
MSN Instant Messenger file transfers, which the CEO of our company is very 
fond of).

I have two problems:

Firstly, I''m trying to set up a VPN alongside (in parallel with?) the 
firewall, it too requires one interface on the inside and another on the 
outside.  The problem is: If I activate the external interface on the VPN 
while Shorewall is running, it tells me that I have an IP address conflict 
with the external NIC of the firewall.  It''s not enough just to have
the
external network adaptor of the firewall enabled, I actually have to have 
Shorewall running (which is why I have come here with this problem).  If I 
look at the syslog, there are many many messages from Shorewall indicating 
that it was trying to figure out what to do with packets directed at the 
external address of the VPN (why would the firewall be trying to deal with 
those packets at all?  How do I get the firewall to not claim 
responsibility for certain IPs on its network?)

Secondly, (and perhaps fixing this would be a solution to the first as 
well, but I don''t know) since my internal and external networks use the
same IP addresses, I''ve had a few problems setting up the proper 
netmask.  The way I''ve gotten it to work for now is to set the netmask
on
all internal machines to 255.255.255.128.  Obviously this means I can only 
use half of my allocated addresses.  Is there any way that I can have the 
same IP on both the internal and external interfaces of the firewall 
without having to sacrifice half of my addresses?

Thanks a bunch,
Eric

Eric C. Herot wrote:
 > My setup is that I have a whole /24 subnet to myself (or my company
 > rather) and I want all of the internal machines to have the same
 > addresses inside as outside (i don''t like nat, it causes too many
 > headaches for things like MSN Instant Messenger file transfers, which
 > the CEO of our company is very fond of).
 >
 > I have two problems:
 >
 > Firstly, I''m trying to set up a VPN alongside (in parallel with?)
the
 > firewall, it too requires one interface on the inside and another on the
 > outside.  The problem is: If I activate the external interface on the
 > VPN while Shorewall is running, it tells me that I have an IP address
 > conflict with the external NIC of the firewall.  It''s not enough
just to
 > have the external network adaptor of the firewall enabled, I actually
 > have to have Shorewall running (which is why I have come here with this
 > problem).  If I look at the syslog, there are many many messages from
 > Shorewall indicating that it was trying to figure out what to do with
 > packets directed at the external address of the VPN (why would the
 > firewall be trying to deal with those packets at all?  How do I get the
 > firewall to not claim responsibility for certain IPs on its network?)
 >

Several things:

1. From the above description, I am unable to draw a diagram of your
network setup (I don''t understand where the VPN fits into the picture).

2. Shorewall deals with ALL packets going to/from/through the firewall. If
you want it to transparently pass certain traffic then you have to
configure Shorewall appropriately.

 > Secondly, (and perhaps fixing this would be a solution to the first as
 > well, but I don''t know) since my internal and external networks
use the
 > same IP addresses, I''ve had a few problems setting up the proper
 > netmask.  The way I''ve gotten it to work for now is to set the
netmask
 > on all internal machines to 255.255.255.128.  Obviously this means I can
 > only use half of my allocated addresses.  Is there any way that I can
 > have the same IP on both the internal and external interfaces of the
 > firewall without having to sacrifice half of my addresses?
 >

Does the upstream router route all traffic to your /24 to the external IP
of your firewall/router? Is the IP address of the upstream router in your /24?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hello.

i was in a simular situation, and ended up doing the following:

i build a transparent bridging firewall myself. it''s a bit more
complicated
than setting up shorewall, but it did the trick for me. It allows me to keep
the current network configuration *exactly* as it is now. (you have to learn
iptables, though...)

I''ve simply put the firewall in between the internet and our network
(just
before the utp <-> glassfibre converter) and up and running in no time. If
ever the firewall breaks down, i simply take firewall out, and all works
just as before, only without firewall.

of course implementing a dmz etc is not possible this way. (i guess?)

And, when building a new network, ground up, I will absolutely be using
shorewall, but to deal with the situation as it was given to me, this really
looked like the best solution.

anyway: don''t know if it applies to you, if not, forget i said anything
:)
(it''s just that I had been struggling with this issue for a week or
two, and
then all of a sudden, someone mentioned the beast ''transparent bridging
firewall'', and it turned out to be *exactly* what i was looking for.

yours,
mourik jan

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, September 17, 2002 19:35
To: Shorewall Users
Subject: Re: [Shorewall-users] Multiple computers on external side of
the network


Eric C. Herot wrote:
 > My setup is that I have a whole /24 subnet to myself (or my company
 > rather) and I want all of the internal machines to have the same
 > addresses inside as outside (i don''t like nat, it causes too many
 > headaches for things like MSN Instant Messenger file transfers, which
 > the CEO of our company is very fond of).
 >
 > I have two problems:
 >
 > Firstly, I''m trying to set up a VPN alongside (in parallel with?)
the
 > firewall, it too requires one interface on the inside and another on the
 > outside.  The problem is: If I activate the external interface on the
 > VPN while Shorewall is running, it tells me that I have an IP address
 > conflict with the external NIC of the firewall.  It''s not enough
just to
 > have the external network adaptor of the firewall enabled, I actually
 > have to have Shorewall running (which is why I have come here with this
 > problem).  If I look at the syslog, there are many many messages from
 > Shorewall indicating that it was trying to figure out what to do with
 > packets directed at the external address of the VPN (why would the
 > firewall be trying to deal with those packets at all?  How do I get the
 > firewall to not claim responsibility for certain IPs on its network?)
 >

Several things:

1. From the above description, I am unable to draw a diagram of your
network setup (I don''t understand where the VPN fits into the picture).

2. Shorewall deals with ALL packets going to/from/through the firewall. If
you want it to transparently pass certain traffic then you have to
configure Shorewall appropriately.

 > Secondly, (and perhaps fixing this would be a solution to the first as
 > well, but I don''t know) since my internal and external networks
use the
 > same IP addresses, I''ve had a few problems setting up the proper
 > netmask.  The way I''ve gotten it to work for now is to set the
netmask
 > on all internal machines to 255.255.255.128.  Obviously this means I can
 > only use half of my allocated addresses.  Is there any way that I can
 > have the same IP on both the internal and external interfaces of the
 > firewall without having to sacrifice half of my addresses?
 >

Does the upstream router route all traffic to your /24 to the external IP
of your firewall/router? Is the IP address of the upstream router in your
/24?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net


_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

Heupink, Mourik Jan C. wrote:
> Hello.
> 
> i was in a simular situation, and ended up doing the following:
> 
> i build a transparent bridging firewall myself. it''s a bit more
complicated
> than setting up shorewall, but it did the trick for me. It allows me to
keep
> the current network configuration *exactly* as it is now. (you have to
learn
> iptables, though...)
> 
Configured properly, Shorewall should work with the bridging/firewall code.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Eric,

I have a network that is very similar to what you are trying to setup.

We have a full class c subnet (/24) and a Nortel 1500 vpn. 
One of our management requirements was that we had to maintain the same
public IP''s on all of our workstations and servers. 
With shorewall all I had to do was to implement proxyarp
(http://www.shorewall.net/Documentation.htm#ProxyArp)
and it worked.  

On the firewall, Our external nic (eth0) has a real ip, the internal nic
(eth1) has a private ip of 192.168.1.1 and our dmz nic (eth2) has a private
ip of 192.168.2.1 and it works. My proxyarp file has 254 IP''s in it and
you
setup in this file were this ip is (internal nic (eth1) or dmz nic (eth0). 
When you do a route command the route table knows exactly were to send the
packets. It''s like a bridged firewall\router.
And the nice thing about this is that we did not have to change anything on
our workstations\servers. 
They all have public IP''s, the subnet mask is 255.255.255.0 and the
gateway
is our router.

Example:

#ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
207.xxx.xxx.2		eth1		eth0		no
207.xxx.xxx.3		eth1		eth0		no
207.xxx.xxx.4		eth1		eth0		no
207.xxx.xxx.5  		eth1		eth0		no
207.xxx.xxx.6		eth2		eth0		no
207.xxx.xxx.7		eth0		eth0		no

As far as the vpn goes, our Nortel documentation recommends that the vpn
sits parallel with the firewall as you describe. I could not get this to
work in parallel with our shorewall box no matter what I did. So, we put our
Nortel vpn inside our firewall and setup some rules to allow esp and udp 500
and the vpn works like a charm. Here are the rules that i have for the vpn

ACCEPT      net             loc                esp
ACCEPT      net             loc                udp   500


Anyway''s I know shorewall will work for your setup and I hope this
helps.


Mike

-----Original Message-----
From: Eric C. Herot [mailto:eric@herot.com]
Sent: Tuesday, September 17, 2002 11:15 AM
To: shorewall-users@shorewall.net
Subject: [Shorewall-users] Multiple computers on external side of the
network


My setup is that I have a whole /24 subnet to myself (or my company rather) 
and I want all of the internal machines to have the same addresses inside 
as outside (i don''t like nat, it causes too many headaches for things
like
MSN Instant Messenger file transfers, which the CEO of our company is very 
fond of).

I have two problems:

Firstly, I''m trying to set up a VPN alongside (in parallel with?) the 
firewall, it too requires one interface on the inside and another on the 
outside.  The problem is: If I activate the external interface on the VPN 
while Shorewall is running, it tells me that I have an IP address conflict 
with the external NIC of the firewall.  It''s not enough just to have
the
external network adaptor of the firewall enabled, I actually have to have 
Shorewall running (which is why I have come here with this problem).  If I 
look at the syslog, there are many many messages from Shorewall indicating 
that it was trying to figure out what to do with packets directed at the 
external address of the VPN (why would the firewall be trying to deal with 
those packets at all?  How do I get the firewall to not claim 
responsibility for certain IPs on its network?)

Secondly, (and perhaps fixing this would be a solution to the first as 
well, but I don''t know) since my internal and external networks use the
same IP addresses, I''ve had a few problems setting up the proper 
netmask.  The way I''ve gotten it to work for now is to set the netmask
on
all internal machines to 255.255.255.128.  Obviously this means I can only 
use half of my allocated addresses.  Is there any way that I can have the 
same IP on both the internal and external interfaces of the firewall 
without having to sacrifice half of my addresses?

Thanks a bunch,
Eric

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

dear tom,

i didn''t know that... but doesn''t the whole bridging firewall
idea need
the kernel patch..? that''s what i assumed.

...? becoming quite confused here... 

if i search for bridge on the shorewall site, i get one hit saying:
<quote>
...  are insecure when used over the internet; use them at your own risk
GRE and IPIP tunneling with Shorewall requires iproute2 and can be used
to bridge two masqueraded networks. GRE tunnels were introduced in
shorewall version 1.2.0_Beta2. The simple scripts described in the Linux
Advanced Routing and ...
</quote>

but it specifically says: two masqueraded networks. that''s not what
i''m
talking about...

yours,
mourik jan

On Tue, 2002-09-17 at 21:29, Tom Eastep wrote:
> Heupink, Mourik Jan C. wrote:
> > Hello.
> > 
> > i was in a simular situation, and ended up doing the following:
> > 
> > i build a transparent bridging firewall myself. it''s a bit
more complicated
> > than setting up shorewall, but it did the trick for me. It allows me
to keep
> > the current network configuration *exactly* as it is now. (you have to
learn
> > iptables, though...)
> > 
> 
> Configured properly, Shorewall should work with the bridging/firewall code.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net

wait... replied too fast (once more...)

you mean that shorewall can be used to generate the iptables rules to be
used with the bridging firewall. right?

could you tell me how? (i''ve dunnit myself, for now, but it would be
interesting to know how this can be done with shorewall)


On Tue, 2002-09-17 at 22:17, mourik jan c heupink wrote:
> dear tom,
> 
> i didn''t know that... but doesn''t the whole bridging
firewall idea need
> the kernel patch..? that''s what i assumed.
> 
> ...? becoming quite confused here... 
> 
> if i search for bridge on the shorewall site, i get one hit saying:
> <quote>
> ...  are insecure when used over the internet; use them at your own risk
> GRE and IPIP tunneling with Shorewall requires iproute2 and can be used
> to bridge two masqueraded networks. GRE tunnels were introduced in
> shorewall version 1.2.0_Beta2. The simple scripts described in the Linux
> Advanced Routing and ...
> </quote>
> 
> but it specifically says: two masqueraded networks. that''s not
what i''m
> talking about...
> 
> yours,
> mourik jan
> 
> On Tue, 2002-09-17 at 21:29, Tom Eastep wrote:
> > Heupink, Mourik Jan C. wrote:
> > > Hello.
> > > 
> > > i was in a simular situation, and ended up doing the following:
> > > 
> > > i build a transparent bridging firewall myself. it''s a
bit more complicated
> > > than setting up shorewall, but it did the trick for me. It allows
me to keep
> > > the current network configuration *exactly* as it is now. (you
have to learn
> > > iptables, though...)
> > > 
> > 
> > Configured properly, Shorewall should work with the bridging/firewall
code.
> > 
> > -Tom
> > -- 
> > Tom Eastep    \ Shorewall - iptables made easy
> > AIM: tmeastep  \ http://www.shorewall.net
> > ICQ: #60745924  \ teastep@shorewall.net
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

mourik jan c heupink wrote:
> wait... replied too fast (once more...)
> 
> you mean that shorewall can be used to generate the iptables rules to be
> used with the bridging firewall. right?
Thats correct.
> 
> could you tell me how? (i''ve dunnit myself, for now, but it would
be
> interesting to know how this can be done with shorewall)
> 
I haven''t tried it -- Jacques Nilo (Bering LEAF distribution) has done
it
though. It might be fastest if you sent me a copy of your rules and
I''ll
work backward from them to produce a Shorewall config (or the outline of 
one). I can then add some documentation to the web site.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net