I have used shorewall many years, maybe it seems simple to some, but I still
feel I don''t know all of its advanced features.
That''s what makes shorewall fun to set up new firewall''s. One
can get a basic setup running in minutes that is secure.
It seems with the last few months I have to delve into the wireless world. I
have a challenge to set up two wireless routers on an existing
shorewall setup. I have been reading for days to make sure I am taking the right
approach to securing networks with shorewall
and wireless setup''s. The wireless routers have been set up on the LAN
side as access points. NOT ROUTERS.
In the following I will refer to LAN as a zone 10.13.173.0./24 as the area
that needs protection. And the DMZ zone I have setup is
just a added third nic on another LAN for wireless access to the internet.
The dmz is NOT typical DMZ it is a wireless LAN for anyone to access the
internet. DMZ is 192.168.0.0/24
Why two routers? The customer had already bought them. They want one for
wireless to LAN
And one for wireless to DMZ that give open access to anyone for internet use
(Like a internet cafe shop)
The only twist in the DMZ was to give some employees access to a printer on
the LAN.
I have documented yesterday on a website for Tom or anyone that can help, so
hopefully one does not have to spend much time on this.
Both eth1 and 2 are masqueraded to net. eth1 is LAN, eth2 is dmz
What I am puzzled about is the best way to do this. I was thinking move the LAN
wireless router to the DMZ eth2.
So only allow access from the dmz to the LAN with Mac address. Also the Unix box
has a different gateway than
shorewalls LAN gateway. Which I am thinking Static Nat would be required.
Am I asking to much here because I have not used these features yet so I am
puzzled on how to do
this.
Please refer to the network @ http://lanlinecomputers.com/lincoln
You can adjust the frame to the left and zoom in on the network on the site.
It also includes shorewalls config!
PS: computers at the bottom of the Visio diagram are part of the LAN and not so
noted
Thank you,
Mike
On Mon, 26 May 2003 10:49:59 -0700, Mike <landers@lanlinecomputers.com> wrote:> > I have documented yesterday on a website for Tom or anyone that can help, > so hopefully one does not have to spend much time on this. > Both eth1 and 2 are masqueraded to net. eth1 is LAN, eth2 is dmz > What I am puzzled about is the best way to do this. I was thinking move > the LAN wireless router to the DMZ eth2. > So only allow access from the dmz to the LAN with Mac address. Also the > Unix box has a different gateway than > shorewalls LAN gateway. Which I am thinking Static Nat would be required. > Am I asking to much here because I have not used these features yet so I > am puzzled on how to do > this.Mike -- I''ve very unclear about what your question is (questions are). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
1. Is masq and rules set up right for two interfaces to access the
internet through SquidGuard.(Not sure if thats the way you would do it)
2. I think I have the DMZ configured right all it does is allow internet
access to anonomous wirewess (no Lan access)
3. The owners wireless access point (which needs Lan access) is hooked
to the lan on 10.13.173.46. I was thinking I need to move that access point
to eth2
So shorewall can filter the packets through the 192.168.0.0/24.
Otherwise anyone with a wireless could access Lan.
4. If I move it to eth2, unixbox gateway is set unknown. So I remember
you saying Snat would work.
5 I guess I am looking for approval as well, and was not sure if its a
lot to ask?
Thanks,
Mike
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>; "Shorewall
Users"
<shorewall-users@lists.shorewall.net>
Sent: Monday, May 26, 2003 8:10 PM
Subject: Re: [Shorewall-users] Wireless Setup
> On Mon, 26 May 2003 10:49:59 -0700, Mike
<landers@lanlinecomputers.com>
> wrote:
>
> >
> > I have documented yesterday on a website for Tom or anyone that can
help,> > so hopefully one does not have to spend much time on this.
> > Both eth1 and 2 are masqueraded to net. eth1 is LAN, eth2 is dmz
> > What I am puzzled about is the best way to do this. I was thinking
move
> > the LAN wireless router to the DMZ eth2.
> > So only allow access from the dmz to the LAN with Mac address. Also
the
> > Unix box has a different gateway than
> > shorewalls LAN gateway. Which I am thinking Static Nat would be
required.> > Am I asking to much here because I have not used these features yet so
I
> > am puzzled on how to do
> > this.
>
> Mike -- I''ve very unclear about what your question is (questions
are).
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
>
On Mon, 26 May 2003 22:30:55 -0700, Mike <landers@lanlinecomputers.com> wrote:> 1. Is masq and rules set up right for two interfaces to access the > internet through SquidGuard.(Not sure if thats the way you would do it) > > 2. I think I have the DMZ configured right all it does is allow internet > access to anonomous wirewess (no Lan access) > > 3. The owners wireless access point (which needs Lan access) is hooked > to the lan on 10.13.173.46. I was thinking I need to move that access > point > to eth2 > > So shorewall can filter the packets through the 192.168.0.0/24. > Otherwise anyone with a wireless could access Lan. > > 4. If I move it to eth2, unixbox gateway is set unknown. So I remember > you saying Snat would work. > > 5 I guess I am looking for approval as well, and was not sure if its a > lot to ask?It is.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net