Shorewall users - Jan 2003 - Using private & public addresses together i n the Shorewall''s DMZ zone

To rephrase the question, "Can I use masquerading and proxy ARP in the same
zone simultaneously?" It''s not a stupid question--I
couldn''t see any reason
why it wouldn''t work, but I had actually try it out to convince myself
that
it did (which isn''t a bad thing to do before posting the question to
the
list, by the way). In any case, the answer is "yes"--you
don''t need to do
anything special, just configure proxy ARP and masquerading independently.

I couldn''t find anything on the web site that directly covered this,
although I certainly could have missed it. I know one question does not a
FAQ make, but adding this to the FAQ seems reasonable.

  - Bradey


-----Original Message-----
From: Trifon Anguelov [mailto:clio_usa@yahoo.com]
Sent: Monday, January 13, 2003 5:07 PM
To: Shorewall Users
Subject: [Shorewall-users] Using private & public addresses together in
the Shorewall''s DMZ zone 



I have one question:

Can I use routable and non-routable IP addreses together in the DMZ zone? 

I read the both three-interfaces setup and the Configuration Guide and each
one explains how to do the either way? My problem is that, I have to use the
public IP address for my DNS server (cannot change that), and setup
additional web servers which will do port-forwarding (DNAT) through the
firewall public IP address. 

I am sorry if my questions sounds stupid, but I am very new to the routing
and networking. Thank you in advance for your thoughts.

 

 


Visit my Web Site: http://www.dbaclick.com

Tons of Oracle DBA''s scripts, articles, manuals and documents


My profile: http://profiles.yahoo.com/clio_usa


---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://mail.shorewall.net/mailman/listinfo/shorewall-users

--On Monday, January 13, 2003 08:01:47 PM -0800 Bradey Honsinger 
<BradeyH@construx.com> wrote:
>
> To rephrase the question, "Can I use masquerading and proxy ARP in the
> same zone simultaneously?" It''s not a stupid question--I
couldn''t see any
> reason why it wouldn''t work, but I had actually try it out to
convince
> myself that it did (which isn''t a bad thing to do before posting
the
> question to the list, by the way). In any case, the answer is
"yes"--you
> don''t need to do anything special, just configure proxy ARP and
> masquerading independently.
Provided that the Proxy ARP boxes and the masquerading boxes don''t have
to
talk to one another.
>
> I couldn''t find anything on the web site that directly covered
this,
> although I certainly could have missed it. I know one question does not a
> FAQ make, but adding this to the FAQ seems reasonable.
>
Spendid!! You''re volunteering then to take over maintenance of the FAQ?
:-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Tuesday, January 14, 2003 7:32 AM Tom Eastep wrote:
> > To rephrase the question, "Can I use masquerading and proxy ARP
in
> > the same zone simultaneously?"
> > <snip>
> > In any case, the answer is "yes"--you don''t need to
do anything
> > special, just configure proxy ARP and masquerading independently.
> 
> Provided that the Proxy ARP boxes and the masquerading boxes don''t
> have to talk to one another.
Ah--I didn''t think of that. I took a look at FAQ 2 and tried a few
things, and it looks like adding "multi" to the DMZ interface does the
trick, as long as you have also have an appropriate "dmz dmz ACCEPT"
policy or rule.
> > I couldn''t find anything on the web site that directly
covered
> > this, although I certainly could have missed it. I know one
> > question does not a FAQ make, but adding this to the FAQ seems
> > reasonable.
> 
> Spendid!! You''re volunteering then to take over maintenance of the
> FAQ? :-)
Well, I don''t know about taking over, but I am willing to put my
patches where my mouth is :) I''ll grab the latest version of the FAQ
from CVS and send you a patch for approval.

  - Bradey

--On Tuesday, January 14, 2003 02:28:50 PM -0800 Bradey Honsinger 
<BradeyH@construx.com> wrote:
> --On Tuesday, January 14, 2003 7:32 AM Tom Eastep wrote:
>>
>> Provided that the Proxy ARP boxes and the masquerading boxes
don''t
>> have to talk to one another.
>
> Ah--I didn''t think of that. I took a look at FAQ 2 and tried a few
> things, and it looks like adding "multi" to the DMZ interface
does the
> trick, as long as you have also have an appropriate "dmz dmz
ACCEPT"
> policy or rule.
>
What version of Shorewall are you running Bradey? I thought that I had 
eliminated the need for ''multi'' where you have a "dmz dmz
ACCEPT" policy in
one of the later releases.

[root@gateway root]# cd /etc/shorewall
[root@gateway shorewall]# grep loc.\*loc policy
loc             loc             ACCEPT


[root@gateway shorewall]# grep eth2 interfaces
loc             eth2            192.168.1.255   dhcp,filterping,maclist


[root@gateway shorewall]# shorewall show eth2_fwd
Shorewall-1.3.13 Chain eth2_fwd at gateway.shorewall.net - Tue Jan 14 
14:40:30 PST 2003

Counters reset Tue Jan 14 07:17:39 PST 2003

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source 
destination
 136K   26M dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0
41879 5161K eth2_mac   all  --  *      *       0.0.0.0/0 
0.0.0.0/0          state NEW
 8336 3896K me2all     all  --  *      eth0    192.168.1.3 
0.0.0.0/0
38630 4998K me2all     all  --  *      eth3    192.168.1.3 
0.0.0.0/0
58714   16M me2all     all  --  *      eth1    192.168.1.3 
0.0.0.0/0
    0     0 me2all     all  --  *      ppp+    192.168.1.3 
0.0.0.0/0
    0     0 me2all     all  --  *      texas   192.168.1.3 
192.168.8.0/22
13480  582K loc2net    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
15573  595K loc2net    all  --  *      eth3    0.0.0.0/0 
0.0.0.0/0
 1437 95495 loc2dmz    all  --  *      eth1    0.0.0.0/0 
0.0.0.0/0
    0     0 loc2loc    all  --  *      eth2    0.0.0.0/0 
0.0.0.0/0
                                       ----

So Shorewall is setting up eth2 -> eth2 through loc2loc without
''multi''.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Tuesday, January 14, 2003 2:44 PM Tom Eastep wrote:
> > Ah--I didn''t think of that. I took a look at FAQ 2 and tried
a few
> > things, and it looks like adding "multi" to the DMZ
interface does
> > the trick, as long as you have also have an appropriate "dmz dmz
> > ACCEPT" policy or rule.
>
> What version of Shorewall are you running Bradey? I thought that I
> had eliminated the need for ''multi'' where you have a
"dmz dmz
> ACCEPT" policy in one of the later releases.
I''m still running 1.3.2 (I know, I should upgrade--I just
haven''t
gotten around to it yet, since I don''t need any of the new features),
and I don''t have a canonical "dmz dmz ACCEPT" policy. I
actually
tested it on my loc zone, which just has a "loc all ACCEPT" policy.

I looked into it a little more, and it looks like in 1.3.9+ you just
need to create the canonical chain via a canonical policy (i.e., "dmz
dmz ACCEPT") or an intra-zone rule (i.e., "ACCEPT dmz dmz tcp
ssh")[1]. A canonical ACCEPT policy seems preferable--after all, when
a zone is a single subnet, boxes on it can communicate between
themselves without interference from Shorewall. As always, however,
the choice is properly left up to the end user.

I''m still working on a FAQ for this--there''s more there than I
thought!

  - Bradey

----
[1] See the v1.3.9 changelog in CVS and the section on canonical
chains in <http://www.shorewall.net/shorewall_firewall_structure.htm>.

--On Tuesday, January 14, 2003 03:17:49 PM -0800 Bradey Honsinger 
<BradeyH@construx.com> wrote:
>
> I''m still working on a FAQ for this--there''s more there
than I
> thought!
>
My initial impression was that it was about a "Mini-Howto" sized
discussion
:-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net