Shorewall users - Aug 2003 - Can I use my firewall computer as a hub?

I have an old 486 that is running Shorewall to provide internet in my home. 
I''m on a tight budget so I''m trying to use every scrap of
hardware I already have.  I put 3 existing NICs into my 486, one (eth0) goes to
the Internet, the 2nd (eth1) goes to my Linux workstation, and the 3rd (eth2)
goes to my family''s Windows workstation.  Shorewall is configured very
simply, mostly to MASQ the 2 workstations out to the Internet, and that is
working very well.  I also have DHCP running on the 486 to provide IP''s
to the workstations.

But there is one catch.  Each workstation is on a separate subnet.  Eth1 is
192.168.1.x and eth2 is 192.168.2.x which isn''t really my preference. 
If I had the money for a hub I would have put the 2 workstations on the same
subnet so they could talk to each other.

So, I''m wondering if there is some way to use Shorewall to make eth1
and eth2 on the 486 work off the same subnet and make the 486 look like a hub to
the 2 workstations?

Thanks for any suggestions.
Bill

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/

Hi there,

I honestly don''t see the need to define the fw this way. It will be
easier to handle the two subnet''s (each has just one workstation so no
headache).

You simply define 3 zones

loc1, loc2, net 

add your interfaces accordingly and define some basic policies like

loc1	loc2	accept
loc2	loc1 	accept
all	all	drop

and in rules you define which protocols the loc1/2 nets can use to the
outside. This isn''t much different from the two interface setup Tom is
giving on his website.

You then set masq for loc1 and loc2 through eth0 and it will work. There
should be no routing issues etc.

Axel
 

-----Original Message-----
From: William Trenker [mailto:wdtrenker@yahoo.ca] 
Sent: Dienstag, 12. August 2003 14:35
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Can I use my firewall computer as a hub?

I have an old 486 that is running Shorewall to provide internet in my
home.  I''m on a tight budget so I''m trying to use every scrap
of
hardware I already have.  I put 3 existing NICs into my 486, one (eth0)
goes to the Internet, the 2nd (eth1) goes to my Linux workstation, and
the 3rd (eth2) goes to my family''s Windows workstation.  Shorewall is
configured very simply, mostly to MASQ the 2 workstations out to the
Internet, and that is working very well.  I also have DHCP running on
the 486 to provide IP''s to the workstations.

But there is one catch.  Each workstation is on a separate subnet.  Eth1
is 192.168.1.x and eth2 is 192.168.2.x which isn''t really my
preference.
If I had the money for a hub I would have put the 2 workstations on the
same subnet so they could talk to each other.

So, I''m wondering if there is some way to use Shorewall to make eth1
and
eth2 on the 486 work off the same subnet and make the 486 look like a
hub to the 2 workstations?

Thanks for any suggestions.
Bill

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Tue, 2003-08-12 at 05:35, William Trenker wrote:
> I have an old 486 that is running Shorewall to provide internet in my home.
> I''m on a tight budget so I''m trying to use every scrap of
hardware I already
> have.  I put 3 existing NICs into my 486, one (eth0) goes to the Internet,
> the 2nd (eth1) goes to my Linux workstation, and the 3rd (eth2) goes to my
> family''s Windows workstation.  Shorewall is configured very
simply, mostly
> to MASQ the 2 workstations out to the Internet, and that is working very
well.  I also have DHCP running on the 486 to provide IP''s to the
workstations.
> 
> But there is one catch.  Each workstation is on a separate subnet.
> Eth1 is 192.168.1.x and eth2 is 192.168.2.x which isn''t really my
preference.  If I had the money for a hub I would have put the 2 workstations on
the same subnet so they could talk to each other.
> 
> So, I''m wondering if there is some way to use Shorewall to make
eth1 and
> eth2 on the 486 work off the same subnet and make the 486 look like a hub
> to the 2 workstations?
> 
No -- A Shorewall-based firewall is a layer 3 router which won''t route
broadcast packets; to be able to make your firewall act like a HUB (a
switch actually), you would have to bridge eth1 and eth2 which then
wouldn''t work with Shorewall.

You could use proxy ARP to put the two systems on the same subnet but
that wouldn''t buy you anything.

What problems are you having getting the two systems to communicate? If
you configure Samba as a WINS server and configure the Windoze box to
use that server, there should be no function lost from what you would
have with a switch.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

You can define the rule to allow them to talk to each other.

E.g. you define the zones as loc1 for eth1 and loc2 for eth2


then you can have the following in ''policy'' file

loc1            loc2             ACCEPT
loc2            loc1             ACCEPT

I hope that helps.

M Lu.




----- Original Message ----- 
From: "William Trenker" <wdtrenker@yahoo.ca>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, August 12, 2003 5:35 AM
Subject: [Shorewall-users] Can I use my firewall computer as a hub?

> I have an old 486 that is running Shorewall to provide internet in my
home.  I''m on a tight budget so I''m trying to use every scrap
of hardware I
already have.  I put 3 existing NICs into my 486, one (eth0) goes to the
Internet, the 2nd (eth1) goes to my Linux workstation, and the 3rd (eth2)
goes to my family''s Windows workstation.  Shorewall is configured very
simply, mostly to MASQ the 2 workstations out to the Internet, and that is
working very well.  I also have DHCP running on the 486 to provide IP''s
to
the workstations.
>
> But there is one catch.  Each workstation is on a separate subnet.  Eth1
is 192.168.1.x and eth2 is 192.168.2.x which isn''t really my
preference.  If
I had the money for a hub I would have put the 2 workstations on the same
subnet so they could talk to each other.
>
> So, I''m wondering if there is some way to use Shorewall to make
eth1 and
eth2 on the 486 work off the same subnet and make the 486 look like a hub to
the 2 workstations?
>
> Thanks for any suggestions.
> Bill
>
> -- 
> Using M2, Opera''s revolutionary e-mail client:
http://www.opera.com/m2/
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Tue, 2003-08-12 at 13:04, M Lu wrote:
> You can define the rule to allow them to talk to each other.
> 
> E.g. you define the zones as loc1 for eth1 and loc2 for eth2
> 
> 
> then you can have the following in ''policy'' file
> 
> loc1            loc2             ACCEPT
> loc2            loc1             ACCEPT
> 
Or simply associate both interfaces with a single ''loc'' zone;
using
recent versions of Shorewall, you don''t have to do anything more for
them to be able to communicate.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 12 August 2003 20:53, Tom Eastep wrote:
> On Tue, 2003-08-12 at 05:35, William Trenker wrote:
> > I have an old 486 that is running Shorewall to provide internet in my
> > home. I''m on a tight budget so I''m trying to use
every scrap of hardware
> > I already have.  I put 3 existing NICs into my 486, one (eth0) goes to
> > the Internet, the 2nd (eth1) goes to my Linux workstation, and the 3rd
> > (eth2) goes to my family''s Windows workstation.  Shorewall is
configured
> > very simply, mostly to MASQ the 2 workstations out to the Internet,
and
> > that is working very well.  I also have DHCP running on the 486 to
> > provide IP''s to the workstations.
> >
> > But there is one catch.  Each workstation is on a separate subnet.
> > Eth1 is 192.168.1.x and eth2 is 192.168.2.x which isn''t
really my
> > preference.  If I had the money for a hub I would have put the 2
> > workstations on the same subnet so they could talk to each other.
> >
> > So, I''m wondering if there is some way to use Shorewall to
make eth1 and
> > eth2 on the 486 work off the same subnet and make the 486 look like a
hub
> > to the 2 workstations?
>
> No -- A Shorewall-based firewall is a layer 3 router which won''t
route
> broadcast packets; to be able to make your firewall act like a HUB (a
> switch actually), you would have to bridge eth1 and eth2 which then
> wouldn''t work with Shorewall.
>
> You could use proxy ARP to put the two systems on the same subnet but
> that wouldn''t buy you anything.
>
> What problems are you having getting the two systems to communicate? If
> you configure Samba as a WINS server and configure the Windoze box to
> use that server, there should be no function lost from what you would
> have with a switch.
>
> -Tom
You can  bridge eth1 and eth2 provided you do not want any packet filtering 
between them (which you wouldn''t if its acting like a hub). You could
call
the bridge eth3, give it an ip address which would be the default gateway for 
his two workstations. Shorewall could then be setup to do packet filtering 
between eth0 and eth3.

Steven

On Tue, 2003-08-12 at 13:49, Steven Jan Springl wrote:
> 
> You can  bridge eth1 and eth2 provided you do not want any packet filtering
> between them (which you wouldn''t if its acting like a hub). You
could call
> the bridge eth3, give it an ip address which would be the default gateway
for
> his two workstations. Shorewall could then be setup to do packet filtering 
> between eth0 and eth3.
> 
Thanks, Steven -- I wondered if that was possible.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 12 August 2003 21:52, Tom Eastep wrote:
> On Tue, 2003-08-12 at 13:49, Steven Jan Springl wrote:
> > You can  bridge eth1 and eth2 provided you do not want any packet
> > filtering between them (which you wouldn''t if its acting like
a hub). You
> > could call the bridge eth3, give it an ip address which would be the
> > default gateway for his two workstations. Shorewall could then be
setup
> > to do packet filtering between eth0 and eth3.
>
> Thanks, Steven -- I wondered if that was possible.
>
> -Tom
Your welcome Tom.
I should also have said that eth1 and eth2 should be given an ip address of 
0.0.0.0.
I have been running my system at home with 3 bridged interfaces on a pristine 
2.4.21 kernel for several weeks without any problems.

There are some very significant performance advantages when using a bridge.
My bridge/firewall is a 200mhz pentium mmx.
If I connect 2 workstations back to back, I can get transfer rates between the 
2 workstations of 10.1 MBytes per second.

If I connect the workstations to the firewall (without bridging) and setup 
Shorewall to ACCEPT everything between the 2 workstations, I get transfer 
rates of about 5Mbytes per second, with the firewall cpu running at 100%.

If I bridge the two workstations on the firewall, I get transfer rates of 
10Mbytes per second, with the cpu running at 32%. 

Steven

On Tue, 12 Aug 2003 21:49:29 +0100, Steven Jan Springl
<shorewall@springl.fsnet.co.uk> wrote:
> You can  bridge eth1 and eth2
This sounds encouraging and rather mysterious.  Is this all done in Shorewall or
are there other Linux settings I need to make?  Can you point me to a FAQ or
HOWTO that will teach me the commands / settings I need to create a bridge?

Thank you, and all others who have so kindly responded.
Bill

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/

so you wuld call it eth3 instead of br0?

dave


----- Original Message -----
From: "Steven Jan Springl" <shorewall@springl.fsnet.co.uk>
> You can  bridge eth1 and eth2 provided you do not want any packet
filtering
> between them (which you wouldn''t if its acting like a hub). You
could call
> the bridge eth3, give it an ip address which would be the default gateway
for > his two workstations. Shorewall could then be setup to do packet
filtering
> between eth0 and eth3.

Yes. That is how I set my firewall/bridge up. I called it that because I 
wasn''t sure if Shorewall could handle an interface called br0. I intend
to
try it when time permits.

Steven
On Tuesday 12 August 2003 23:29, David Kempe wrote:
> so you wuld call it eth3 instead of br0?
>
> dave
>
>
> ----- Original Message -----
> From: "Steven Jan Springl" <shorewall@springl.fsnet.co.uk>
>
> > You can  bridge eth1 and eth2 provided you do not want any packet
>
> filtering
>
> > between them (which you wouldn''t if its acting like a hub).
You could
> > call the bridge eth3, give it an ip address which would be the default
> > gateway
>
> for > his two workstations. Shorewall could then be setup to do packet
> filtering
>
> > between eth0 and eth3.
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Tue, 2003-08-12 at 16:22, Steven Jan Springl wrote:
> Yes. That is how I set my firewall/bridge up. I called it that because I 
> wasn''t sure if Shorewall could handle an interface called br0. I
intend to
> try it when time permits.
The only problem Shorewall would have is that it would refuse to do MAC
filtration on the interface.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

will that be different when 2.6 is stable and eb_tables work ok?

dave


On Wed, 2003-08-13 at 09:35, Tom Eastep wrote:
> The only problem Shorewall would have is that it would refuse to do MAC
> filtration on the interface.

On Tue, 13 Aug 2003, Dave Kempe wrote:
> will that be different when 2.6 is stable and eb_tables work ok?
>
This has nothing to do with ebtables. The firewall script has a case
statement that only permits maclist entries on interfaces whose names
begin with "eth" or "wlan". I''ve added
"br[0-9]" in the current CVS
version.

Shorewall will never support ebtables.

-Tom

Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noticed that I have moved this question to the development list.

Now that ebtables is the bridging software of choice for the newer kernels
I have been wondering if Shorewall could be extended to support bridges.
It looks like you have some experience with bridges and might have some
ideas.  What I am interested in is the ability to use the great Shorewall
configuration files to create filter rule sets for bridges.

I haven''t spent too much time thinking about it but as a small first
step I
would propose a /etc/Shorewall/bridges file with these columns:

# interface 1	interface 2	bridge name	bridge options
eth0		eth1		br0

During Shorewall startup, the script could build the bridges.
Are there any bridge options that need to be specified in this
new configuration file?

Once a bridge interface was known to Shorewall how would the policy and
rules tables get extended to support bridges?

Thanks,

-- 
Steve Herber	herber@thing.com		work: 206-221-7262
Security Engineer, UW Medicine, IT Services	home: 425-454-2399

On Tue, 12 Aug 2003, Steven Jan Springl wrote:
> On Tuesday 12 August 2003 21:52, Tom Eastep wrote:
> > On Tue, 2003-08-12 at 13:49, Steven Jan Springl wrote:
> > > You can  bridge eth1 and eth2 provided you do not want any packet
> > > filtering between them (which you wouldn''t if its acting
like a hub). You
> > > could call the bridge eth3, give it an ip address which would be
the
> > > default gateway for his two workstations. Shorewall could then be
setup
> > > to do packet filtering between eth0 and eth3.
> >
> > Thanks, Steven -- I wondered if that was possible.
> >
> > -Tom
> Your welcome Tom.
> I should also have said that eth1 and eth2 should be given an ip address of
> 0.0.0.0.
> I have been running my system at home with 3 bridged interfaces on a
pristine
> 2.4.21 kernel for several weeks without any problems.
> 
> There are some very significant performance advantages when using a bridge.
> My bridge/firewall is a 200mhz pentium mmx.
> If I connect 2 workstations back to back, I can get transfer rates between
the
> 2 workstations of 10.1 MBytes per second.
> 
> If I connect the workstations to the firewall (without bridging) and setup 
> Shorewall to ACCEPT everything between the 2 workstations, I get transfer 
> rates of about 5Mbytes per second, with the firewall cpu running at 100%.
> 
> If I bridge the two workstations on the firewall, I get transfer rates of 
> 10Mbytes per second, with the cpu running at 32%. 
> 
> Steven
> 
> 
>

On Tue, 12 Aug 2003, Steve Herber wrote:
> Noticed that I have moved this question to the development list.
>
> Now that ebtables is the bridging software of choice for the newer kernels
> I have been wondering if Shorewall could be extended to support bridges.
> It looks like you have some experience with bridges and might have some
> ideas.  What I am interested in is the ability to use the great Shorewall
> configuration files to create filter rule sets for bridges.
>
> I haven''t spent too much time thinking about it but as a small
first step I
> would propose a /etc/Shorewall/bridges file with these columns:
>
> # interface 1	interface 2	bridge name	bridge options
> eth0		eth1		br0
>
> During Shorewall startup, the script could build the bridges.
> Are there any bridge options that need to be specified in this
> new configuration file?
>
> Once a bridge interface was known to Shorewall how would the policy and
> rules tables get extended to support bridges?
>
Steve,

I''ve said several times on several lists that I have no intention of
adding any bridging facilities to Shorewall. If someone want''t to build
a
"Shorebridge" product, I''m all for it.

One of the precepts of Open Source Software is that talented people who
have a need for a particular capability create that capability then share
it with others.

I have no need for a bridging firewall -- if someone else does, I would be
happy if they steal everything usable from Shorewall that would speed
up their development.

But I am not going to create a bridging firewall product myself and I
believe that the ebtables capability is so different from iptables that
any attempt to hack up Shorewall to use ebtables for bridging and iptables
for L3 firewalling would result in an unmaintainable mess. I''m not
going
to let that happen to Shorewall.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Bill,
> This sounds encouraging and rather mysterious.  Is this all done in
> Shorewall or are there other Linux settings I need to make?  Can you
> point me to a FAQ or HOWTO that will teach me the commands / settings I
> need to create a bridge?
Since I just setup ethernet bridging for the first time the other day, the
procedures are still fairly fresh in my mind.  =)  You don''t use
Shorewall
to setup Ethernet bridging (but you will need to reconfigure Shorewall
once bridging is setup).  First you need the "802.1d Ethernet
Bridging"
kernel option turned on (it''s in the Networking Options section), or
already compiled as a module (named "bridge").  You''ll also
need the
ethernet bridge utilities installed (the Debian package is called
"bridge-utils").  The command you''ll need is
`brctl''.

Your distro might have some support for setting up ethernet bridge
interfaces via the normal network device config (Debian does via its
/etc/network/interfaces file, but I don''t know about other distros). 
Here
are the basic commands you could use to set it up manually:

--- [BEGIN COMMANDS] ---
modprobe bridge

brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2

ifconfig eth1 0.0.0.0 promisc up
ifconfig eth2 0.0.0.0 promisc up

ifconfig br0 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
--- [END COMMANDS] ---

Notes: Those commands assume you want to bridge eth1 and eth2, and that
those interfaces are not already up and configured (i.e. the commands
could be run in a system startup script).  You don''t need the modprobe
command if ethernet bridging is compiled directly into your kernel.  On
the last line use whatever IP address and broadcast address you want. 
Then assign IP addresses to your workstations from that same subnet.

After the ethernet bridging is configured, then reconfigure Shorewall as
directed in the "two interface" quickstart guide, using
"br0" as your
''loc'' interface.

Here is the URL for the ethernet bridging code website.  It''s not a
masterpiece:
http://bridge.sf.net/

Someone please correct any of the above if I goofed.  =)

Jason

On Tuesday 12 August 2003 16:01, William Trenker wrote:
> On Tue, 12 Aug 2003 21:49:29 +0100, Steven Jan Springl 
<shorewall@springl.fsnet.co.uk> wrote:
> > You can  bridge eth1 and eth2
>
> This sounds encouraging and rather mysterious.  Is this all done in
> Shorewall or are there other Linux settings I need to make?  Can you point
> me to a FAQ or HOWTO that will teach me the commands / settings I need to
> create a bridge?
>
> Thank you, and all others who have so kindly responded.
> Bill
 
Bill;
       These are the commands that I use to setup my bridge.

1	ifdown eth1
2	ifdown eth2
3	ifconfig eth1 0.0.0.0
4	ifconfig eth2 0.0.0.0
5	brctl addbr eth3
6	brctl addif eth3 eth1
7	brctl addif eth3 eth2
8	ifconfig eth3 192.168.0.254

Lines 1 & 2 take down the interfaces (if yours are not started you
won''t need
these lines)
Lines 3 & 4 set the ip addresses for the interfaces to 0.0.0.0
Line 5 defines the bridge and gives it the name eth3
lines 6 & 7 add the two interfaces to the bridge
line 8 gives the bridge an ip address. This address should then be set as the 
default gateway in the 2 workstations. The ip addresses for your workstations 
should be set to addresses in the same subnet as eth3.

In Shorewall you define eth0 as the wan and eth3 as your lan. eth1 & eth2 
should not defined in Shorewall.

Steven.

Steve,

I''m far from being an ethernet bridging expert, so I''m
replying to you and
copying the mailing list.  (I recommend copying the list on any of your
own replies to posts on the list).

On Tue, 12 Aug 2003, Steve Herber wrote:
>Thanks for the how-to.  I have a question about the interaction between
>shorewall and the bridge interface.  Many of the commercial firewall
>prodcuts now support a bridge mode and it is very convenient where you
>want to protect an existing network without having to make change to the
>existing devices but still get a chance to apply the firewall rules to
>the traffic.
>
>I want to set up a typical shorewall two interface system where I
>bridge between the two interfaces.  If I follow your directions I
>would end up with a single br0 device.  How do the shorewall/iptables
>policies/rules/chains interact with a single device?
As far as I know Shorewall interacts with a bridge device mostly as it
would with a single ethernet device.
>I did a google search for "ebtables linux" and found this article:
>
>	http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html
>
>Have you used ebtables yet?
No.  Thanks for the link though, it looks interesting!

-Jason