Hi everyone.
I have to set up a firewall to filter traffic between a LAN and the Internet
by blacklisting local IP addresses. Current network set up is as follows:
- There are multiple switches in the LAN connected to a router.
- The router gives access to other corporate LANs and to the Internet.
- The router is set up to route traffic from two different subnets from the
same LAN.
- Currently, there''s only one subnet being used.
- Every machine in the LAN (including the future firewall) is connected to a
switch (could or couldn''t be the same)
- There are no filtering policies between corporate LANs.
Based on Shorewall docs, I''ve come up with some ideas to implement
the firewall:
- The firewall box should have just one NIC since both the internal and
external interfaces shouldn''t be connected to the same switch in a
production enviroment.
- I might use Aliased Interfaces to segment the current subnet beign used
and filter traffic between them an to/from other LANs and the Internet.
- This is more a question than an idea: Is it possible to configure
Shorewall as in the one-interface example, use the firewall box IP address as
the gateway value for the boxes that are to be filtered, and filter local
traffic by blacklisting selected IP addresses?
I''m pretty sure that what I want to have some sort of
gateway/filter. Is Shorewall suited for such a thing? If so, I''ll be
more than happy to read some ideas on how to do it ... in the meantime,
I''ll try what I''ve come up with so far to see what happens...
Best regards,
Carlos
On Mon, 2003-12-08 at 14:40, Carlos Cajina - Hotmail wrote:> > Based on Shorewall docs, I''ve come up with some ideas to implement the firewall: > > - The firewall box should have just one NIC since both the internal and external interfaces shouldn''t be connected to the same switch in a production enviroment. > - I might use Aliased Interfaces to segment the current subnet beign used and filter traffic between them an to/from other LANs and the Internet. > - This is more a question than an idea: Is it possible to configure Shorewall as in the one-interface example, use the firewall box IP address as the gateway value for the boxes that are to be filtered, and filter local traffic by blacklisting selected IP addresses? > > I''m pretty sure that what I want to have some sort of gateway/filter. Is Shorewall suited for such a thing? If so, I''ll be more than happy to read some ideas on how to do it ... in the meantime, I''ll try what I''ve come up with so far to see what happens... >What you are proposing provides no real security. The only way to provide real security (inbound or outbound) is to place the firewall physically between your local systems and the internet; anything else is just security by obscurity. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks A LOT for the quick answer Tom... What I''ll try to do then is
(physically) place the firewall between the switches and the router and set
up Shorewall as in the two-interface example. I''ll use currently active
the
subnet for the internal interface and the other for the external interface.
Just out of curiosity: What do you mean by "security by obscurity"?
What
would be Shorewall''s behavior in a situation like the one a previously
described?
Thanks again.
Carlos
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Monday, December 08, 2003 4:47 PM
Subject: Re: [Shorewall-users] Advice needed
> On Mon, 2003-12-08 at 14:40, Carlos Cajina - Hotmail wrote:
>
> >
> > Based on Shorewall docs, I''ve come up with some ideas to
implement
the firewall:> >
> > - The firewall box should have just one NIC since both the
internal
and external interfaces shouldn''t be connected to the same switch in a
production enviroment.> > - I might use Aliased Interfaces to segment the current subnet
beign
used and filter traffic between them an to/from other LANs and the
Internet.> > - This is more a question than an idea: Is it possible to
configure
Shorewall as in the one-interface example, use the firewall box IP address
as the gateway value for the boxes that are to be filtered, and filter local
traffic by blacklisting selected IP addresses?> >
> > I''m pretty sure that what I want to have some sort of
gateway/filter. Is Shorewall suited for such a thing? If so, I''ll be
more
than happy to read some ideas on how to do it ... in the meantime, I''ll
try
what I''ve come up with so far to see what
happens...> >
>
> What you are proposing provides no real security. The only way to
> provide real security (inbound or outbound) is to place the firewall
> physically between your local systems and the internet; anything else is
> just security by obscurity.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
On Mon, 2003-12-08 at 23:40, Carlos Cajina - Hotmail wrote:> - The firewall box should have just one NIC since both the internal and external interfaces shouldn''t be connected to the same switch in a production enviroment.imagine the following: ---------------------------------------------------------------- highway / motorway / autobahn ----------- --------------------------- --------- \ \-------------------------/ / \ police control / \--------------------------------------/ now you tell everybody to go through the police control, while the motorway isn''t blocked ? where would you go ? irf you have a managemable switch you should be able to configure different vlans on it. that means you''ll have separate "switch blocks". one (2port) could serve the external interface of the firewall and the uplink. the rest is for the internal lan. Holger Brueckner net-labs Systemhaus GmbH
Tom:> If your local subnet(s) use(s) public IP addresses then you probably wantto start with the Shorewall Setup> Guide (http://www.shorewall.net/shorewall_setup_guide.htm).>From the docs: "[...] you can configure your network [...] with oneadditional twist; simply specify the ''proxyarp'' option on all three firewall interfaces in the /etc/shorewall/interfaces file." Now, chances are that I''m not getting the whole thing right, but if I do as stated above, the recommendation against connecting the internal and external interface to the same hub or switch (except for testing) is still valid? I was planning to follow your advice about physically placing the firewall between the switches and the router. The "thing" is, that the IP''s in the two avaliable subnetworks are all public and I''m told not to use RFC1918 addresses.> > Just out of curiosity: What do you mean by "security by obscurity"? Whatwould be Shorewall''s behavior in a situation like the one a previously> > described?>From the docs: "When an ARP request for one of the firewall/router''s IPaddresses is sent by another system connected to the hub/switch, all of the firewall''s interfaces that connect to the hub/switch can respond! It is then a race as to which "here-is" response reaches the sender first." Sorry, I should''ve read a little more... but now that I''ve done it, have more doubts :^) Have a good day!
On Tuesday 09 December 2003 08:55 am, Carlos Cajina - Hotmail wrote:> > From the docs: "[...] you can configure your network [...] with one > additional twist; simply specify the ''proxyarp'' option on all three > firewall interfaces in the /etc/shorewall/interfaces file." > > Now, chances are that I''m not getting the whole thing right, but if I do as > stated above, the recommendation against connecting the internal and > external interface to the same hub or switch (except for testing) is still > valid?Yes.> > I was planning to follow your advice about physically placing the firewall > between the switches and the router. The "thing" is, that the IP''s in the > two avaliable subnetworks are all public and I''m told not to use RFC1918 > addresses. >That''s fine. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net