Shorewall users - Nov 2003 - Standalone server interface delemma (newbie)

Hi,

Sorry if this been answered before, but I have searched and not found
anything relevant to my situation.

I have a standalone server, but it''s connected to internet directly
with the
one and only nic (eth0), not through modem, adsl/cable etc. so there is no
ppp0 etc. external interface. So I''m kinda confused as it so to speak
"fall
between the scenarios" setup in the quick guides.

What I need help with is layout the basic structure for zones and
interfaces, once I got that I guess I can figure out (read) how to setup
rules and policies etc.

This is how the box looks like:

It have 1 nic (eth0) with 3 alias (eth0:0, eth0:1, eth0:2) with 4 public
ip''s, in a sequence. Those ip''s is not my own, but to belong
to my ISP where
my box is co-located. There is no "local" ip''s except for
127.0.0.1 and I''m
so to speak "in" my ip''s subnet, although fully standalone
and also have my
reverse lookup deligated to my dns also in the same box. The bit below
should give a clue of how it''s all setup.

root # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
a.b.c.64  0.0.0.0         255.255.255.192 U         0 0          0 eth0
a.b.c.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
0.0.0.0         a.b.c.65  0.0.0.0         UG        0 0          0 eth0
root # ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ether 00:50:da:e0:65:8a brd ff:ff:ff:ff:ff:ff
    inet a.b.c.66/24 brd a.b.c.127 scope global eth0
    inet a.b.c.67/26 brd a.b.c.127 scope global eth0:0
    inet a.b.c.68/26 brd a.b.c.127 scope global secondary eth0:1
    inet a.b.c.69/26 brd a.b.c.127 scope global secondary eth0:2
root #

For sanity I replaced the first 3 subnet bits with a.b.c.

So my confusion is really that eth0 is both internal and external interface
to me, and not sure how to deal with this. It''s probably very simple,
but as
I manage and setup this remotely I don''t want to take chance screwing
something up :-) so some simple directions would be gratefully appreciated.

/Joakim

On Sat, 8 Nov 2003, Joakim Schramm wrote:
> Hi,
>
> Sorry if this been answered before, but I have searched and not found
> anything relevant to my situation.
>
> I have a standalone server, but it''s connected to internet
directly with the
> one and only nic (eth0), not through modem, adsl/cable etc. so there is no
> ppp0 etc. external interface. So I''m kinda confused as it so to
speak "fall
> between the scenarios" setup in the quick guides.
>
The "standalone" QuickStart Guide covers that case.

-Tom

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 8 Nov 2003, Joakim Schramm wrote:
> It have 1 nic (eth0) with 3 alias (eth0:0, eth0:1, eth0:2) with 4 public
> ip''s, in a sequence. Those ip''s is not my own, but to
belong to my ISP where
> my box is co-located. There is no "local" ip''s except
for 127.0.0.1 and I''m
> so to speak "in" my ip''s subnet, although fully
standalone and also have my
> reverse lookup deligated to my dns also in the same box. The bit below
> should give a clue of how it''s all setup.
There is nothing there that isn''t covered by the Standalone QuickStart
Guide.
> 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast
qlen 100
>     link/ether 00:50:da:e0:65:8a brd ff:ff:ff:ff:ff:ff
>     inet a.b.c.66/24 brd a.b.c.127 scope global eth0
>     inet a.b.c.67/26 brd a.b.c.127 scope global eth0:0
>     inet a.b.c.68/26 brd a.b.c.127 scope global secondary eth0:1
>     inet a.b.c.69/26 brd a.b.c.127 scope global secondary eth0:2
> root #
>
> For sanity I replaced the first 3 subnet bits with a.b.c.
>
> So my confusion is really that eth0 is both internal and external interface
> to me, and not sure how to deal with this. It''s probably very
simple, but as
> I manage and setup this remotely I don''t want to take chance
screwing
> something up :-) so some simple directions would be gratefully appreciated.
>
For further information, please
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Ok and thanks, I didn''t thought so first, but after reading the
"one-interface" guide an other time (and more carefully :-) I figured
it
might go... Just have one question still unsure about. The reason I
discarded it first was because it only talked about the "private"
address
spaces, of which I don''t use and thought fw only "spoke" to
those. But if I
understand your answer(s) right, my 4 public (and static) ip addresses have
the same relationship to fw? So with a
"net     eth0    detect  tcpflags,blacklist,norfc1918,routefilter "
interface (not bothering with the ailases now) I can simply setup rules in
the format of
"ACCEPT net $FW etc." and that will direct to my static ip''s
and I can also
do things like
"ACCEPT net $FW:1.2.3.66 etc.", is that correct? Then I''m all
set.

/Joakim
> -----Ursprungligt meddelande-----
> Fr?n: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net] F?r Tom Eastep
> Skickat: den 8 november 2003 15:22
> Till: Shorewall Users Mailing List
> ?mne: Re: [Shorewall-users] Standalone server interface 
> delemma (newbie)
> 
> 
> On Sat, 8 Nov 2003, Joakim Schramm wrote:
> 
> > Hi,
> >
> > Sorry if this been answered before, but I have searched and 
> not found 
> > anything relevant to my situation.
> >
> > I have a standalone server, but it''s connected to internet
directly
> > with the one and only nic (eth0), not through modem, 
> adsl/cable etc. 
> > so there is no ppp0 etc. external interface. So I''m kinda 
> confused as 
> > it so to speak "fall between the scenarios" setup in the 
> quick guides.
> >
> 
> The "standalone" QuickStart Guide covers that case.
> 
> -Tom
> 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/s> horewall-users
> 
> Support: http://www.shorewall.net/support.htm
> 
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 8 Nov 2003, Joakim Schramm wrote:
> Ok and thanks, I didn''t thought so first, but after reading the
> "one-interface" guide an other time (and more carefully :-) I
figured it
> might go... Just have one question still unsure about. The reason I
> discarded it first was because it only talked about the "private"
address
> spaces, of which I don''t use and thought fw only "spoke"
to those. But if I
> understand your answer(s) right, my 4 public (and static) ip addresses have
> the same relationship to fw? So with a
> "net     eth0    detect  tcpflags,blacklist,norfc1918,routefilter
"
> interface (not bothering with the ailases now) I can simply setup rules in
> the format of
> "ACCEPT net $FW etc." and that will direct to my static
ip''s and I can also
> do things like
> "ACCEPT net $FW:1.2.3.66 etc.", is that correct? Then
I''m all set.
>
You are correct.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> >
> 
> For further information, please 
> http://shorewall.net/Shorewall_and_Aliased_Int> erfaces.html.
> 
> 
Ok, just an other little question on this. Is the part
"#!/bin/sh
case $1 in
    eth0)
	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0	
	;;
esac "

Meant to replace the ifconfig setup of aliases currently done on boot OR is
it meant to complement for compability with Shorewall? In other words, can I
do this "on top" of my current ifconfig setup?

/Joakim
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof 
> to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/s> horewall-users
> 
> Support: http://www.shorewall.net/support.htm
> 
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 8 Nov 2003, Joakim Schramm wrote:
> > >
> >
> > For further information, please
> > http://shorewall.net/Shorewall_and_Aliased_Int> erfaces.html.
> >
> >
> Ok, just an other little question on this. Is the part
> "#!/bin/sh
> case $1 in
>     eth0)
> 	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
> 	;;
> esac "
>
> Meant to replace the ifconfig setup of aliases currently done on boot OR is
> it meant to complement for compability with Shorewall? In other words, can
I
> do this "on top" of my current ifconfig setup?
>
No -- if you already have alias addresses set up, you can ignore that
part.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net