I''ve watched with interest the threads with multiple IP, addressing, ProxyARP, etc., etc. I have the documentations marks bookmarked, read, and re-read I''ve watched Lito asking about SNAT NAT and aliases..... I''m now confused as ever. I have spent the extra $15.00 per month to get 5 fixed IP addresses from SBC for their "business" DSL. My reasoning was that it is (or should be) easier to protect/firewall a fixed IP (or and IP range) than it would a dynamic range. I could also run a home website (complete with mail) for myself and my daughter''s sorrority, and a stepson that''s thinking of trying some internet marketing.... Are there any recommendations/examples for multiple fixed IP''s such as: INTERNET * * * eth0 * * Shorewall ***eth1*** DMZ (right now a single computer - should I have two ? 2nd for mail ?) * * eth2 * * My Internal Network Currently I have the "DMZ" box DNATing (via shorewall also) to "real" IP addresses assigned by Pac Bell (SBC), but if I''m reading these threads correctly...It is NOT optimal. I have eth1 on the shorewall box with a 192.x.x.x address and eth0 on the DMZ box DNATing from 192.x.x.x to assigned addresses of which I am only using one and trying the Apache virtual server(s) set-up, but right now I only have 1 IP working (for http only). Tom, you have a great product, and I love the prompt replies, but I''ve read and re-read the FAQ''s and responses over and over, and I''m not getting this particular set-up. Should I give up the fixed IP''s, and just pay for the (cheaper) dynamic IP and then use some of the tinydns, dyndns or whatever for a name server ? Am I just wasting my money ? Am I not seeing an example somewhere ? Bill -- ducking the incoming flak --
On Mon, 17 Nov 2003 Bill.Light@kp.org wrote:> > Tom, you have a great product, and I love the prompt replies, but I''ve > read and re-read the FAQ''s and responses over and over, and I''m not > getting this particular set-up. Should I give up the fixed IP''s, and just > pay for the (cheaper) dynamic IP and then use some of the tinydns, dyndns > or whatever for a name server ? Am I just wasting my money ? Am I not > seeing an example somewhere ? >My personal preference is expressed at: http://shorewall.net/shorewall_setup_guide.htm. It shows how I would (and have) divided 5 public IP addresses between a firewall, DMZ and local networks. My aim with Shorewall is to be able to accomodate the setups that folks happen to have; I don''t want to get into the business of dictating configurations. I pay for 5 IP addresses so that I can run a config with multiple public IP addresses; I don''t think I would have much credibility in that problem space without being able to actually run it. If I were trying to save money, I would use the three-interface model (http://shorewall.net/three-interface.htm) with one public IP address. When I retire, that''s what I''m probably going to run simply because I won''t be able to afford multiple public IPs in an area where wireless (microwave) service is the only form of "high-speed" service available. In that market, more than one public IP address costs a fortune. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I will re-visit the set-up guide. As usual, thanks for the prompt
response.
As far as the 5 IP''s, what SBC (formerly Pac Bell DSL) offered is one
dynamic or 5 fixed IP''s. As I stated, I wanted the "fixed"
address to
defend. What SBC does NOT offer is one fixed IP (which is what I too,
really wanted).
I wasn''t necessarily asking for your "custom" design
specifications for me
- as much as I can''t believe there aren''t more Shorewall users
that have
the same ISP type offering. And, others could benefit from and example.
Once I feel secure enough, I''d be willing to post mine...but
I''m not there
yet.
I''m off for more reading/studying.
Thanks again.
- Bill
==============================================================
Tom Eastep <teastep@shorewall.net>
Sent by: shorewall-users-bounces@lists.shorewall.net
11/17/03 07:31 PM
Please respond to Shorewall Users Mailing List
To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
cc:
Subject: Re: [Shorewall-users] Recommendations
On Mon, 17 Nov 2003 Bill.Light@kp.org wrote:>
> Tom, you have a great product, and I love the prompt replies, but
I''ve
> read and re-read the FAQ''s and responses over and over, and
I''m not
> getting this particular set-up. Should I give up the fixed IP''s,
and
just > pay for the (cheaper) dynamic IP and then use some of the tinydns,
dyndns > or whatever for a name server ? Am I just wasting my money ? Am I
not > seeing an example somewhere ?
>
My personal preference is expressed at:
http://shorewall.net/shorewall_setup_guide.htm.
It shows how I would (and have) divided 5 public IP addresses between a
firewall, DMZ and local networks.
My aim with Shorewall is to be able to accomodate the setups that folks
happen to have; I don''t want to get into the business of dictating
configurations.
I pay for 5 IP addresses so that I can run a config with multiple public
IP addresses; I don''t think I would have much credibility in that
problem
space without being able to actually run it.
If I were trying to save money, I would use the three-interface model
(http://shorewall.net/three-interface.htm) with one public IP address.
When I retire, that''s what I''m probably going to run simply
because I
won''t be able to afford multiple public IPs in an area where wireless
(microwave) service is the only form of "high-speed" service
available.
In that market, more than one public IP address costs a fortune.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2003-11-17 at 20:00, Bill.Light@kp.org wrote:> > I wasn''t necessarily asking for your "custom" design specifications for me > - as much as I can''t believe there aren''t more Shorewall users that have > the same ISP type offering. And, others could benefit from and example. > Once I feel secure enough, I''d be willing to post mine...but I''m not there > yet. >I must be missing something. The one-, two- and three-interface QuickStart Guides cover common setups for one public IP address (dynamic or static) and the Shorewall Setup Guide covers multiple public IP addresses (with detailed instructions for 5 such addresses). What additional example do you feel is required? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> I wasn''t necessarily asking for your "custom" design specifications forme> - as much as I can''t believe there aren''t more Shorewall users that have> the same ISP type offering. And, others could benefit from and example.> Once I feel secure enough, I''d be willing to post mine...but I''m notthere> yet. >I must be missing something. The one-, two- and three-interface QuickStart Guides cover common setups for one public IP address (dynamic or static) and the Shorewall Setup Guide covers multiple public IP addresses (with detailed instructions for 5 such addresses). What additional example do you feel is required? -Tom ===================== With the exception of: - The "206" address in your routing table in paragraph 4.3 - The arping of a "66" address deep into paragraph 5.2.3 - The NAT example of a "66" address deep into paragraph 5.2.4 I get confused when to put in a "Real" IP versus the 192 examples...I didn''t think I wanted Bind9 views, so I skipped the only other place where "real" IP addresses appear in your DNS section. I''m still not sure why I want to run DNS on the firewall (I have it in my local zone). I would guess that once I wish to run more than one domain in the DMZ, I will have to... - Bill
On Tue, 2003-11-18 at 10:50, Bill.Light@kp.org wrote:> > I wasn''t necessarily asking for your "custom" design specifications for > me > > - as much as I can''t believe there aren''t more Shorewall users that have > > > the same ISP type offering. And, others could benefit from and example. > > > Once I feel secure enough, I''d be willing to post mine...but I''m not > there > > yet. > > > > I must be missing something. The one-, two- and three-interface > QuickStart Guides cover common setups for one public IP address (dynamic > or static) and the Shorewall Setup Guide covers multiple public IP > addresses (with detailed instructions for 5 such addresses). What > additional example do you feel is required? > > -Tom > > =====================> > With the exception of: > > - The "206" address in your routing table in paragraph 4.3 > - The arping of a "66" address deep into paragraph 5.2.3 > - The NAT example of a "66" address deep into paragraph 5.2.4 > > I get confused when to put in a "Real" IP versus the 192 examples...192.0.2.x addresses *are real addresses*! They are reserved by RFC 3330 for testing and for use in printed examples as *real addresses*. So you put "real addresses" everywhere you see 192.0.2.x. Section 4.5 clearly defines those addresses reserved by RFC 1918 as private addresses.> I > didn''t think I wanted Bind9 views, so I skipped the only other place where > "real" IP addresses appear in your DNS section. I''m still not sure why I > want to run DNS on the firewall (I have it in my local zone). I would > guess that once I wish to run more than one domain in the DMZ, I will have > to...The most common reason people place a DNS server on their firewall is that it is the only system they own with DNS server software available for it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-11-18 at 11:28, Tom Eastep wrote:> > 192.0.2.x addresses *are real addresses*! They are reserved by RFC 3330 > for testing and for use in printed examples as *real addresses*. So you > put "real addresses" everywhere you see 192.0.2.x. > > Section 4.5 clearly defines those addresses reserved by RFC 1918 as > private addresses.And the 192.x.x.x range reserved by RFC 1918 is 192.168.0.0/16 (which does not include 192.0.2.x). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net