Joakim Schramm
2003-Nov-08 02:01 UTC
[Shorewall-users] Standalone server interface delemma (newbie)
Hi, Sorry if this been answered before, but I have searched and not found anything relevant to my situation. I have a standalone server, but it''s connected to internet directly with the one and only nic (eth0), not through modem, adsl/cable etc. so there is no ppp0 etc. external interface. So I''m kinda confused as it so to speak "fall between the scenarios" setup in the quick guides. What I need help with is layout the basic structure for zones and interfaces, once I got that I guess I can figure out (read) how to setup rules and policies etc. This is how the box looks like: It have 1 nic (eth0) with 3 alias (eth0:0, eth0:1, eth0:2) with 4 public ip''s, in a sequence. Those ip''s is not my own, but to belong to my ISP where my box is co-located. There is no "local" ip''s except for 127.0.0.1 and I''m so to speak "in" my ip''s subnet, although fully standalone and also have my reverse lookup deligated to my dns also in the same box. The bit below should give a clue of how it''s all setup. root # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface a.b.c.64 0.0.0.0 255.255.255.192 U 0 0 0 eth0 a.b.c.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo 0.0.0.0 a.b.c.65 0.0.0.0 UG 0 0 0 eth0 root # ip addr show eth0 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:da:e0:65:8a brd ff:ff:ff:ff:ff:ff inet a.b.c.66/24 brd a.b.c.127 scope global eth0 inet a.b.c.67/26 brd a.b.c.127 scope global eth0:0 inet a.b.c.68/26 brd a.b.c.127 scope global secondary eth0:1 inet a.b.c.69/26 brd a.b.c.127 scope global secondary eth0:2 root # For sanity I replaced the first 3 subnet bits with a.b.c. So my confusion is really that eth0 is both internal and external interface to me, and not sure how to deal with this. It''s probably very simple, but as I manage and setup this remotely I don''t want to take chance screwing something up :-) so some simple directions would be gratefully appreciated. /Joakim
Tom Eastep
2003-Nov-08 06:22 UTC
[Shorewall-users] Standalone server interface delemma (newbie)
On Sat, 8 Nov 2003, Joakim Schramm wrote:> Hi, > > Sorry if this been answered before, but I have searched and not found > anything relevant to my situation. > > I have a standalone server, but it''s connected to internet directly with the > one and only nic (eth0), not through modem, adsl/cable etc. so there is no > ppp0 etc. external interface. So I''m kinda confused as it so to speak "fall > between the scenarios" setup in the quick guides. >The "standalone" QuickStart Guide covers that case. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Nov-08 06:30 UTC
[Shorewall-users] Standalone server interface delemma (newbie)
On Sat, 8 Nov 2003, Joakim Schramm wrote:> It have 1 nic (eth0) with 3 alias (eth0:0, eth0:1, eth0:2) with 4 public > ip''s, in a sequence. Those ip''s is not my own, but to belong to my ISP where > my box is co-located. There is no "local" ip''s except for 127.0.0.1 and I''m > so to speak "in" my ip''s subnet, although fully standalone and also have my > reverse lookup deligated to my dns also in the same box. The bit below > should give a clue of how it''s all setup.There is nothing there that isn''t covered by the Standalone QuickStart Guide.> 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:50:da:e0:65:8a brd ff:ff:ff:ff:ff:ff > inet a.b.c.66/24 brd a.b.c.127 scope global eth0 > inet a.b.c.67/26 brd a.b.c.127 scope global eth0:0 > inet a.b.c.68/26 brd a.b.c.127 scope global secondary eth0:1 > inet a.b.c.69/26 brd a.b.c.127 scope global secondary eth0:2 > root # > > For sanity I replaced the first 3 subnet bits with a.b.c. > > So my confusion is really that eth0 is both internal and external interface > to me, and not sure how to deal with this. It''s probably very simple, but as > I manage and setup this remotely I don''t want to take chance screwing > something up :-) so some simple directions would be gratefully appreciated. >For further information, please http://shorewall.net/Shorewall_and_Aliased_Interfaces.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joakim Schramm
2003-Nov-08 07:08 UTC
SV: [Shorewall-users] Standalone server interface delemma (newbie)
Ok and thanks, I didn''t thought so first, but after reading the "one-interface" guide an other time (and more carefully :-) I figured it might go... Just have one question still unsure about. The reason I discarded it first was because it only talked about the "private" address spaces, of which I don''t use and thought fw only "spoke" to those. But if I understand your answer(s) right, my 4 public (and static) ip addresses have the same relationship to fw? So with a "net eth0 detect tcpflags,blacklist,norfc1918,routefilter " interface (not bothering with the ailases now) I can simply setup rules in the format of "ACCEPT net $FW etc." and that will direct to my static ip''s and I can also do things like "ACCEPT net $FW:1.2.3.66 etc.", is that correct? Then I''m all set. /Joakim> -----Ursprungligt meddelande----- > Fr?n: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] F?r Tom Eastep > Skickat: den 8 november 2003 15:22 > Till: Shorewall Users Mailing List > ?mne: Re: [Shorewall-users] Standalone server interface > delemma (newbie) > > > On Sat, 8 Nov 2003, Joakim Schramm wrote: > > > Hi, > > > > Sorry if this been answered before, but I have searched and > not found > > anything relevant to my situation. > > > > I have a standalone server, but it''s connected to internet directly > > with the one and only nic (eth0), not through modem, > adsl/cable etc. > > so there is no ppp0 etc. external interface. So I''m kinda > confused as > > it so to speak "fall between the scenarios" setup in the > quick guides. > > > > The "standalone" QuickStart Guide covers that case. > > -Tom > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/s> horewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm >
Tom Eastep
2003-Nov-08 07:10 UTC
SV: [Shorewall-users] Standalone server interface delemma (newbie)
On Sat, 8 Nov 2003, Joakim Schramm wrote:> Ok and thanks, I didn''t thought so first, but after reading the > "one-interface" guide an other time (and more carefully :-) I figured it > might go... Just have one question still unsure about. The reason I > discarded it first was because it only talked about the "private" address > spaces, of which I don''t use and thought fw only "spoke" to those. But if I > understand your answer(s) right, my 4 public (and static) ip addresses have > the same relationship to fw? So with a > "net eth0 detect tcpflags,blacklist,norfc1918,routefilter " > interface (not bothering with the ailases now) I can simply setup rules in > the format of > "ACCEPT net $FW etc." and that will direct to my static ip''s and I can also > do things like > "ACCEPT net $FW:1.2.3.66 etc.", is that correct? Then I''m all set. >You are correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joakim Schramm
2003-Nov-08 07:28 UTC
SV: [Shorewall-users] Standalone server interface delemma (newbie)
> > > > For further information, please > http://shorewall.net/Shorewall_and_Aliased_Int> erfaces.html. > >Ok, just an other little question on this. Is the part "#!/bin/sh case $1 in eth0) /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0 ;; esac " Meant to replace the ifconfig setup of aliases currently done on boot OR is it meant to complement for compability with Shorewall? In other words, can I do this "on top" of my current ifconfig setup? /Joakim> -Tom > -- > Tom Eastep \ Nothing is foolproof > to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/s> horewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm >
Tom Eastep
2003-Nov-08 07:34 UTC
SV: [Shorewall-users] Standalone server interface delemma (newbie)
On Sat, 8 Nov 2003, Joakim Schramm wrote:> > > > > > > For further information, please > > http://shorewall.net/Shorewall_and_Aliased_Int> erfaces.html. > > > > > Ok, just an other little question on this. Is the part > "#!/bin/sh > case $1 in > eth0) > /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0 > ;; > esac " > > Meant to replace the ifconfig setup of aliases currently done on boot OR is > it meant to complement for compability with Shorewall? In other words, can I > do this "on top" of my current ifconfig setup? >No -- if you already have alias addresses set up, you can ignore that part. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net