Hi all, I need some help, advice or whatever you can explain to me because I haven''t got a clear idea about how to do the following assembly, and I''d be very grateful if I got some help from an expert like you. I''m trying to build a system which represents the following: I''ve got a hosts unit (host1, host 2, ...) which have IP in the network 192 168.1.0/24. All of them connect to a swith (SW1). On the other hand, I have 3 web servers (W1, W2, W3) which are connected to other switch (SW2). What I need to do is to add a firewall, using shorewall, between the two switchs to stop any access from the SW1 area towards the SW2 but for the web traffic, that is, to protect the three web servers. The main problem I have is that what I want is that when a host in SW1 area tries to get access to the web server in SW2, the web server needs to know the original requested IP, that is, the IP which has the host1 in the SW1 area. This, from my point of view, puts aside the use of NAT because the adress would be changed. A way to solve the problem would be installing a Proxy in the FW, but I would also lose the original IP. How should I configure the shorewall? Any commenys, anything to consider? Regards and thanks to you all in advance. Sergio
Hi all, I need some help, advice or whatever you can explain to me because I haven''t got a clear idea about how to do the following assembly, and I''d be very grateful if I got some help from an expert like you. I''m trying to build a system which represents the following: I''ve got a hosts unit (host1, host 2, ...) which have IP in the network 192 168.1.0/24. All of them connect to a swith (SW1). On the other hand, I have 3 web servers (W1, W2, W3) which are connected to other switch (SW2). What I need to do is to add a firewall, using shorewall, between the two switchs to stop any access from the SW1 area towards the SW2 but for the web traffic, that is, to protect the three web servers. The main problem I have is that what I want is that when a host in SW1 area tries to get access to the web server in SW2, the web server needs to know the original requested IP, that is, the IP which has the host1 in the SW1 area. This, from my point of view, puts aside the use of NAT because the adress would be changed. A way to solve the problem would be installing a Proxy in the FW, but I would also lose the original IP. How should I configure the shorewall? Any commenys, anything to consider? Regards and thanks to you all in advance. Sergio
--On Thursday, March 06, 2003 12:56:19 PM +0100 snf <snf@apdo.com> wrote:> Hi all, > > I need some help, advice or whatever you can explain to me because I > haven''t got a clear idea about how to do the following assembly, and I''d > be very grateful if I got some help from an expert like you. > > I''m trying to build a system which represents the following: > > I''ve got a hosts unit (host1, host 2, ...) which have IP in the network > 192 168.1.0/24. All of them connect to a swith (SW1). On the other hand, > I have 3 web servers (W1, W2, W3) which are connected to other switch > (SW2). > > What I need to do is to add a firewall, using shorewall, between the two > switchs to stop any access from the SW1 area towards the SW2 but for the > web traffic, that is, to protect the three web servers. The main problem > I have is that what I want is that when a host in SW1 area tries to get > access to the web server in SW2, the web server needs to know the > original requested IP, that is, the IP which has the host1 in the SW1 > area. > > This, from my point of view, puts aside the use of NAT because the adress > would be changed. > > A way to solve the problem would be installing a Proxy in the FW, but I > would also lose the original IP. > > How should I configure the shorewall? > > Any commenys, anything to consider? >Yes -- don''t use Shorewall. What you want is a bridge/firewall whereas Shorewall implements a router/firewall. LEAF/Bering (http://leaf.sourceforge.net/devel/jnilo) can be configured as a bridge/firewall; you will have to add a few iptables commands to implement the simply firewall rules you are looking for. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Thursday, March 06, 2003 06:49:27 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:>> >> How should I configure the shorewall? >> >> Any commenys, anything to consider? >> > > Yes -- don''t use Shorewall. What you want is a bridge/firewall whereas > Shorewall implements a router/firewall. LEAF/Bering > (http://leaf.sourceforge.net/devel/jnilo) can be configured as a > bridge/firewall; you will have to add a few iptables commands to > implement the simply firewall rules you are looking for. >The other alternative is to use Shorewall with Proxy ARP -- see http://www.shorewall.net/ProxyARP.htm; you might also find http://www.shorewall.net/shorewall_setup_guide.htm useful. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net