Hello, I am looking at/testing Shorewall and have gone through most if not all of the documentation. I believe I understand most of how to set up Shorewall with no problem. However, I am unclear if a particular feature is available. I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. I also have non-routable addresses on my private/internal network i.e. 10.0.0.0 , for my local hosts. I am unclear in the documentation if I can use Shorewall to use all/most of the Class C addresses, for outbound requests similar to how a PIX firewall uses them in a ''Global'' pool and PAT. For example, is it possible to have my private hosts have their private IP addresses translated to a public IP address, that is taken from a range of public IP addresses ''tracked'' by Shorewall and then Shorewall keeps track of the host''s internal IP address for the return back. For example, an internal host makes a web request, ''finds'' an available class C address uses that and then gets translated back to the internal hosts IP address. The problem I have is that if I have more than 254 hosts needing an Internet/routable address at the same time then is there a feature similar to Port Address Translation, similar to a PIX firewall? Is that part of the DNAT or maybe SNAT feature on Shorewall? Or to do this would I need to get another block of Class C addresses from my ISP and if I need to get another block of class C addresses does Shorewall support more than one CIDR block on the same firewall? Would I need to set up another switch and Shorewall firewall for each 1.2.3.4/24 block? If it is in the documentation I have not yet found how to do it. If someone could point to the area of the documentation where it explains this it would be great. Thanks for your time in advance. terry
On Sun, 2003-08-03 at 23:41, Terry Funk wrote:> Hello, > > I am looking at/testing Shorewall and have gone through most if not all > of the documentation. I believe I understand most of how to set up > Shorewall with no problem. However, I am unclear if a particular feature > is available. > > I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. > > I also have non-routable addresses on my private/internal network i.e. > 10.0.0.0 , for my local hosts. > > I am unclear in the documentation if I can use Shorewall to use all/most > of the Class C addresses, for outbound requests similar to how a PIX > firewall uses them in a ''Global'' pool and PAT. > > For example, is it possible to have my private hosts have their private > IP addresses translated to a public IP address, that is taken from a > range of public IP addresses ''tracked'' by Shorewall and then Shorewall > keeps track of the host''s internal IP address for the return back. For > example, an internal host makes a web request, ''finds'' an available > class C address uses that and then gets translated back to the internal > hosts IP address. > > The problem I have is that if I have more than 254 hosts needing an > Internet/routable address at the same time then is there a feature > similar to Port Address Translation, similar to a PIX firewall? > > Is that part of the DNAT or maybe SNAT feature on Shorewall?You want section 5.2.4 in the documentation. Static NAT, which is different from SNAT.> > Or to do this would I need to get another block of Class C addresses > from my ISP and if I need to get another block of class C addresses does > Shorewall support more than one CIDR block on the same firewall? > > Would I need to set up another switch and Shorewall firewall for each > 1.2.3.4/24 block? > > If it is in the documentation I have not yet found how to do it. If > someone could point to the area of the documentation where it explains > this it would be great. > > Thanks for your time in advance. > > terry > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- http://www.shorewall.net Shorewall, for all your firewall needs
Hi, IIRC what is called PAT on a Cisco PIX is what is called Masquerading in the Linux world. If I understand correctly, you want your 10.0.0.0/8 network to have access to the internet. In the easiest configuration, you''ll only need one public IP address for this to work. Connection tracking in the Linux kernel will manage to make things work for almost every protocol. For complicated protocols like FTP will need additional kernel modules for this to work. This is something Shorewall usually cares about. Now, If you have too much open connections because maybe thousands of clients have several connections open at the same time, you may need more public IPs for it to work. Looks like the latest snapshot release of Shorewall have support for this too. You can configure this in the file /etc/shorewall/masq like this: eth0 10.0.0.0/8 206.124.146.177-206.124.146.180 or eth0 eth1 206.124.146.177-206.124.146.180 HTH Simon> Hello, > > I am looking at/testing Shorewall and have gone through most if not all > of the documentation. I believe I understand most of how to set up > Shorewall with no problem. However, I am unclear if a particular feature > is available. > > I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. > > I also have non-routable addresses on my private/internal network i.e. > 10.0.0.0 , for my local hosts. > > I am unclear in the documentation if I can use Shorewall to use all/most > of the Class C addresses, for outbound requests similar to how a PIX > firewall uses them in a ''Global'' pool and PAT. > > For example, is it possible to have my private hosts have their private > IP addresses translated to a public IP address, that is taken from a > range of public IP addresses ''tracked'' by Shorewall and then Shorewall > keeps track of the host''s internal IP address for the return back. For > example, an internal host makes a web request, ''finds'' an available > class C address uses that and then gets translated back to the internal > hosts IP address. > > The problem I have is that if I have more than 254 hosts needing an > Internet/routable address at the same time then is there a feature > similar to Port Address Translation, similar to a PIX firewall? > > Is that part of the DNAT or maybe SNAT feature on Shorewall? > > Or to do this would I need to get another block of Class C addresses > from my ISP and if I need to get another block of class C addresses does > Shorewall support more than one CIDR block on the same firewall? > > Would I need to set up another switch and Shorewall firewall for each > 1.2.3.4/24 block? > > If it is in the documentation I have not yet found how to do it. If > someone could point to the area of the documentation where it explains > this it would be great. > > Thanks for your time in advance. > > terry > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Simon, Thanks! that looks like that will work fine, I will try it. But what IF I get another block of class c addresses, i.e. another network? For example: class c block number 1: 1.2.3.4/24 class c block number 2: 1.2.5.6/24 Is Shorewall capable of handling that? Thanks in advance! Terry Simon Matter wrote:> Hi, > > IIRC what is called PAT on a Cisco PIX is what is called Masquerading in > the Linux world. > If I understand correctly, you want your 10.0.0.0/8 network to have access > to the internet. In the easiest configuration, you''ll only need one public > IP address for this to work. Connection tracking in the Linux kernel will > manage to make things work for almost every protocol. For complicated > protocols like FTP will need additional kernel modules for this to work. > This is something Shorewall usually cares about. > Now, If you have too much open connections because maybe thousands of > clients have several connections open at the same time, you may need more > public IPs for it to work. Looks like the latest snapshot release of > Shorewall have support for this too. You can configure this in the file > /etc/shorewall/masq like this: > > eth0 10.0.0.0/8 206.124.146.177-206.124.146.180 > > or > > eth0 eth1 206.124.146.177-206.124.146.180 > > HTH > Simon > > >>Hello, >> >>I am looking at/testing Shorewall and have gone through most if not all >>of the documentation. I believe I understand most of how to set up >>Shorewall with no problem. However, I am unclear if a particular feature >>is available. >> >>I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. >> >>I also have non-routable addresses on my private/internal network i.e. >>10.0.0.0 , for my local hosts. >> >>I am unclear in the documentation if I can use Shorewall to use all/most >>of the Class C addresses, for outbound requests similar to how a PIX >>firewall uses them in a ''Global'' pool and PAT. >> >>For example, is it possible to have my private hosts have their private >>IP addresses translated to a public IP address, that is taken from a >>range of public IP addresses ''tracked'' by Shorewall and then Shorewall >>keeps track of the host''s internal IP address for the return back. For >>example, an internal host makes a web request, ''finds'' an available >>class C address uses that and then gets translated back to the internal >>hosts IP address. >> >>The problem I have is that if I have more than 254 hosts needing an >>Internet/routable address at the same time then is there a feature >>similar to Port Address Translation, similar to a PIX firewall? >> >>Is that part of the DNAT or maybe SNAT feature on Shorewall? >> >>Or to do this would I need to get another block of Class C addresses >>from my ISP and if I need to get another block of class C addresses does >>Shorewall support more than one CIDR block on the same firewall? >> >>Would I need to set up another switch and Shorewall firewall for each >>1.2.3.4/24 block? >> >>If it is in the documentation I have not yet found how to do it. If >>someone could point to the area of the documentation where it explains >>this it would be great. >> >>Thanks for your time in advance. >> >>terry >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>http://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> > >
> Simon, > Thanks! that looks like that will work fine, I will try it. But what IF > I get another block of class c addresses, i.e. another network? For > example: > class c block number 1: 1.2.3.4/24 > class c block number 2: 1.2.5.6/24 > > Is Shorewall capable of handling that?Unfortunately I don''t know. Tom should be back tomorrow, he''s the one who knows it for sure. But then, why would you want to do that? I don''t see a real benefit. Usually when you have a class c net, you only use a few adresses for client connections and the other ones are dedicated for servers using static nat, proxy arp or whatever is appropriate. Simon> > Thanks in advance! > > Terry > > Simon Matter wrote: > >> Hi, >> >> IIRC what is called PAT on a Cisco PIX is what is called Masquerading in >> the Linux world. >> If I understand correctly, you want your 10.0.0.0/8 network to have >> access >> to the internet. In the easiest configuration, you''ll only need one >> public >> IP address for this to work. Connection tracking in the Linux kernel >> will >> manage to make things work for almost every protocol. For complicated >> protocols like FTP will need additional kernel modules for this to work. >> This is something Shorewall usually cares about. >> Now, If you have too much open connections because maybe thousands of >> clients have several connections open at the same time, you may need >> more >> public IPs for it to work. Looks like the latest snapshot release of >> Shorewall have support for this too. You can configure this in the file >> /etc/shorewall/masq like this: >> >> eth0 10.0.0.0/8 206.124.146.177-206.124.146.180 >> >> or >> >> eth0 eth1 206.124.146.177-206.124.146.180 >> >> HTH >> Simon >> >> >>>Hello, >>> >>>I am looking at/testing Shorewall and have gone through most if not all >>>of the documentation. I believe I understand most of how to set up >>>Shorewall with no problem. However, I am unclear if a particular feature >>>is available. >>> >>>I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. >>> >>>I also have non-routable addresses on my private/internal network i.e. >>>10.0.0.0 , for my local hosts. >>> >>>I am unclear in the documentation if I can use Shorewall to use all/most >>>of the Class C addresses, for outbound requests similar to how a PIX >>>firewall uses them in a ''Global'' pool and PAT. >>> >>>For example, is it possible to have my private hosts have their private >>>IP addresses translated to a public IP address, that is taken from a >>>range of public IP addresses ''tracked'' by Shorewall and then Shorewall >>>keeps track of the host''s internal IP address for the return back. For >>>example, an internal host makes a web request, ''finds'' an available >>>class C address uses that and then gets translated back to the internal >>>hosts IP address. >>> >>>The problem I have is that if I have more than 254 hosts needing an >>>Internet/routable address at the same time then is there a feature >>>similar to Port Address Translation, similar to a PIX firewall? >>> >>>Is that part of the DNAT or maybe SNAT feature on Shorewall? >>> >>>Or to do this would I need to get another block of Class C addresses >>>from my ISP and if I need to get another block of class C addresses does >>>Shorewall support more than one CIDR block on the same firewall? >>> >>>Would I need to set up another switch and Shorewall firewall for each >>>1.2.3.4/24 block? >>> >>>If it is in the documentation I have not yet found how to do it. If >>>someone could point to the area of the documentation where it explains >>>this it would be great. >>> >>>Thanks for your time in advance. >>> >>>terry >>> >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>http://lists.shorewall.net/mailman/listinfo/shorewall-users >>>Support: http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >>> >> >> > >
Thanks again for your time. Maybe I am not ''getting'' something [which is very possible :) ]. But for example I know of a school district I worked at that had 15,000 desktops covering almost 90 campuses and numerous administration sites. We used a Cisco PIX firewall. They had 4 class c IP address blocks. Since that gave them at most just over 1000 unique internet addresses there was no way that NAT could handle that if half the high schools had labs that did some research for example. So we had to put all class c''s in the PIX global pool of addresses. Then we had to enable Port Address Translation to handle all the users that might go out on the internet at any given time, let''s say only half of the 15000 machines did just that. At any given moment we had to make sure there were at least 7000 unique addresses available, in the form of: 1.2.3.4:11223. Additionally, both IE and Netscape opens up 5 or more ports when the browser runs and goes to a web site, if I remember correctly. Granted that is an extreme example but I need about 500 routable ip addresses and I am trying to determine if the Shorewall firewall could handle requests and NAT for say 300 unique users at any given time. I hope that makes sense. Do I need to re-read the RFC''s for NAT? Thanks again for your time! Terry Simon Matter wrote:>>Simon, >>Thanks! that looks like that will work fine, I will try it. But what IF >>I get another block of class c addresses, i.e. another network? For >>example: >>class c block number 1: 1.2.3.4/24 >>class c block number 2: 1.2.5.6/24 >> >>Is Shorewall capable of handling that? > > > Unfortunately I don''t know. Tom should be back tomorrow, he''s the one who > knows it for sure. > But then, why would you want to do that? I don''t see a real benefit. > Usually when you have a class c net, you only use a few adresses for > client connections and the other ones are dedicated for servers using > static nat, proxy arp or whatever is appropriate. > > Simon > > >>Thanks in advance! >> >>Terry >> >>Simon Matter wrote: >> >> >>>Hi, >>> >>>IIRC what is called PAT on a Cisco PIX is what is called Masquerading in >>>the Linux world. >>>If I understand correctly, you want your 10.0.0.0/8 network to have >>>access >>>to the internet. In the easiest configuration, you''ll only need one >>>public >>>IP address for this to work. Connection tracking in the Linux kernel >>>will >>>manage to make things work for almost every protocol. For complicated >>>protocols like FTP will need additional kernel modules for this to work. >>>This is something Shorewall usually cares about. >>>Now, If you have too much open connections because maybe thousands of >>>clients have several connections open at the same time, you may need >>>more >>>public IPs for it to work. Looks like the latest snapshot release of >>>Shorewall have support for this too. You can configure this in the file >>>/etc/shorewall/masq like this: >>> >>>eth0 10.0.0.0/8 206.124.146.177-206.124.146.180 >>> >>>or >>> >>>eth0 eth1 206.124.146.177-206.124.146.180 >>> >>>HTH >>>Simon >>> >>> >>> >>>>Hello, >>>> >>>>I am looking at/testing Shorewall and have gone through most if not all >>>>of the documentation. I believe I understand most of how to set up >>>>Shorewall with no problem. However, I am unclear if a particular feature >>>>is available. >>>> >>>>I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. >>>> >>>>I also have non-routable addresses on my private/internal network i.e. >>>>10.0.0.0 , for my local hosts. >>>> >>>>I am unclear in the documentation if I can use Shorewall to use all/most >>>>of the Class C addresses, for outbound requests similar to how a PIX >>>>firewall uses them in a ''Global'' pool and PAT. >>>> >>>>For example, is it possible to have my private hosts have their private >>>>IP addresses translated to a public IP address, that is taken from a >>>>range of public IP addresses ''tracked'' by Shorewall and then Shorewall >>>>keeps track of the host''s internal IP address for the return back. For >>>>example, an internal host makes a web request, ''finds'' an available >>>>class C address uses that and then gets translated back to the internal >>>>hosts IP address. >>>> >>>>The problem I have is that if I have more than 254 hosts needing an >>>>Internet/routable address at the same time then is there a feature >>>>similar to Port Address Translation, similar to a PIX firewall? >>>> >>>>Is that part of the DNAT or maybe SNAT feature on Shorewall? >>>> >>>>Or to do this would I need to get another block of Class C addresses >>> >>>>from my ISP and if I need to get another block of class C addresses does >>> >>>>Shorewall support more than one CIDR block on the same firewall? >>>> >>>>Would I need to set up another switch and Shorewall firewall for each >>>>1.2.3.4/24 block? >>>> >>>>If it is in the documentation I have not yet found how to do it. If >>>>someone could point to the area of the documentation where it explains >>>>this it would be great. >>>> >>>>Thanks for your time in advance. >>>> >>>>terry >>>> >>>>_______________________________________________ >>>>Shorewall-users mailing list >>>>Post: Shorewall-users@lists.shorewall.net >>>>Subscribe/Unsubscribe: >>>>http://lists.shorewall.net/mailman/listinfo/shorewall-users >>>>Support: http://www.shorewall.net/support.htm >>>>FAQ: http://www.shorewall.net/FAQ.htm >>>> >>> >>> >> >
On Sun, 03 Aug 2003 09:41:16 -0600, Terry Funk <tfunk@esc19.net> wrote:> > I am unclear in the documentation if I can use Shorewall to use all/most > of the Class C addresses, for outbound requests similar to how a PIX > firewall uses them in a ''Global'' pool and PAT.In /etc/shorewall/masq: <external interface> <internal subnet 1>,<internal subnet 2>,... 1.2.3.1- 1.2.3.254> > For example, is it possible to have my private hosts have their private > IP addresses translated to a public IP address, that is taken from a > range of public IP addresses ''tracked'' by Shorewall and then Shorewall > keeps track of the host''s internal IP address for the return back.Shorewall IS A SHELL SCRIPT -- it doesn''t track anything! Netfilter will do however. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Terry Funk schrieb:> > Thanks again for your time. > > Maybe I am not ''getting'' something [which is very possible :) ]. But for > example I know of a school district I worked at that had 15,000 desktops > covering almost 90 campuses and numerous administration sites. > > We used a Cisco PIX firewall. They had 4 class c IP address blocks. > Since that gave them at most just over 1000 unique internet addresses > there was no way that NAT could handle that if half the high schools had > labs that did some research for example. So we had to put all class c''s > in the PIX global pool of addresses. Then we had to enable Port Address > Translation to handle all the users that might go out on the internet at > any given time, let''s say only half of the 15000 machines did just that. > At any given moment we had to make sure there were at least 7000 unique > addresses available, in the form of: > 1.2.3.4:11223. Additionally, both IE and Netscape opens up 5 or more > ports when the browser runs and goes to a web site, if I remember correctly.I suggest installing a proxy/cache for the webtraffic. Then from my experience it''s possible to handle several hundred clients over a single public IP address. Of course it depends on the kind of traffic the clients generate. Simon> > Granted that is an extreme example but I need about 500 routable ip > addresses and I am trying to determine if the Shorewall firewall could > handle requests and NAT for say 300 unique users at any given time. > > I hope that makes sense. Do I need to re-read the RFC''s for NAT? > > Thanks again for your time! > > Terry > > Simon Matter wrote: > > >>Simon, > >>Thanks! that looks like that will work fine, I will try it. But what IF > >>I get another block of class c addresses, i.e. another network? For > >>example: > >>class c block number 1: 1.2.3.4/24 > >>class c block number 2: 1.2.5.6/24 > >> > >>Is Shorewall capable of handling that? > > > > > > Unfortunately I don''t know. Tom should be back tomorrow, he''s the one who > > knows it for sure. > > But then, why would you want to do that? I don''t see a real benefit. > > Usually when you have a class c net, you only use a few adresses for > > client connections and the other ones are dedicated for servers using > > static nat, proxy arp or whatever is appropriate. > > > > Simon > > > > > >>Thanks in advance! > >> > >>Terry > >> > >>Simon Matter wrote: > >> > >> > >>>Hi, > >>> > >>>IIRC what is called PAT on a Cisco PIX is what is called Masquerading in > >>>the Linux world. > >>>If I understand correctly, you want your 10.0.0.0/8 network to have > >>>access > >>>to the internet. In the easiest configuration, you''ll only need one > >>>public > >>>IP address for this to work. Connection tracking in the Linux kernel > >>>will > >>>manage to make things work for almost every protocol. For complicated > >>>protocols like FTP will need additional kernel modules for this to work. > >>>This is something Shorewall usually cares about. > >>>Now, If you have too much open connections because maybe thousands of > >>>clients have several connections open at the same time, you may need > >>>more > >>>public IPs for it to work. Looks like the latest snapshot release of > >>>Shorewall have support for this too. You can configure this in the file > >>>/etc/shorewall/masq like this: > >>> > >>>eth0 10.0.0.0/8 206.124.146.177-206.124.146.180 > >>> > >>>or > >>> > >>>eth0 eth1 206.124.146.177-206.124.146.180 > >>> > >>>HTH > >>>Simon > >>> > >>> > >>> > >>>>Hello, > >>>> > >>>>I am looking at/testing Shorewall and have gone through most if not all > >>>>of the documentation. I believe I understand most of how to set up > >>>>Shorewall with no problem. However, I am unclear if a particular feature > >>>>is available. > >>>> > >>>>I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24. > >>>> > >>>>I also have non-routable addresses on my private/internal network i.e. > >>>>10.0.0.0 , for my local hosts. > >>>> > >>>>I am unclear in the documentation if I can use Shorewall to use all/most > >>>>of the Class C addresses, for outbound requests similar to how a PIX > >>>>firewall uses them in a ''Global'' pool and PAT. > >>>> > >>>>For example, is it possible to have my private hosts have their private > >>>>IP addresses translated to a public IP address, that is taken from a > >>>>range of public IP addresses ''tracked'' by Shorewall and then Shorewall > >>>>keeps track of the host''s internal IP address for the return back. For > >>>>example, an internal host makes a web request, ''finds'' an available > >>>>class C address uses that and then gets translated back to the internal > >>>>hosts IP address. > >>>> > >>>>The problem I have is that if I have more than 254 hosts needing an > >>>>Internet/routable address at the same time then is there a feature > >>>>similar to Port Address Translation, similar to a PIX firewall? > >>>> > >>>>Is that part of the DNAT or maybe SNAT feature on Shorewall? > >>>> > >>>>Or to do this would I need to get another block of Class C addresses > >>> > >>>>from my ISP and if I need to get another block of class C addresses does > >>> > >>>>Shorewall support more than one CIDR block on the same firewall? > >>>> > >>>>Would I need to set up another switch and Shorewall firewall for each > >>>>1.2.3.4/24 block? > >>>> > >>>>If it is in the documentation I have not yet found how to do it. If > >>>>someone could point to the area of the documentation where it explains > >>>>this it would be great. > >>>> > >>>>Thanks for your time in advance. > >>>> > >>>>terry > >>>> > >>>>_______________________________________________ > >>>>Shorewall-users mailing list > >>>>Post: Shorewall-users@lists.shorewall.net > >>>>Subscribe/Unsubscribe: > >>>>http://lists.shorewall.net/mailman/listinfo/shorewall-users > >>>>Support: http://www.shorewall.net/support.htm > >>>>FAQ: http://www.shorewall.net/FAQ.htm > >>>> > >>> > >>> > >> > >