Shorewall users - Dec 2003 - Firewall Requirement

Hi,

I have a live class C network(on T1) which routes from the provider through
a router on a /30 network.

Router(/30) < -- > Firewall external interface (/30)
                                |
                                |----> Public Network (/24)  (I have a linux
proxy(squid) which serves the private network. I want to remove this.)
                                |
                                |----> Private Network (not used as HTTP
filtering causes extra load on firewall)

The firewall needs to be replaced as it is not able to handle the load. I
would like to install a linux based firewall/router in place of the current
firewall which should be able to forward request to the live /24 network
back and forth without any changes to the existing servers.

Can shorewall do the same ?
How should I configure shorewall so that the public network will be on DMZ,
private network can be directly connected to one of the interfaces on
shorewall firewall with squid running and also if I can do traffic shaping
for the private network(rfc1918).

What will be the hardware requirement ?

What are the issues I will have to take care of to have minimum downtime ?

Thanks,
~Bhavin.

On Fri, 19 Dec 2003, Bhavin Modi wrote:
> I have a live class C network(on T1) which routes from the provider through
> a router on a /30 network.
> 
> Router(/30) < -- > Firewall external interface (/30)
>                                 |
>                                 |----> Public Network (/24)  (I have a
linux
> proxy(squid) which serves the private network. I want to remove this.)
>                                 |
>                                 |----> Private Network (not used as HTTP
> filtering causes extra load on firewall)
> 
The above is totally incomprehensible.....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I think I presented the network in a wrong manner.

Here is the correction.

Router(/30) < -- > Firewall external interface (/30)
                                 |
                          Firewall DMZ interface (/24) <----> Public
Network
(/24)
                                 |
                          Firewall pvt. network interface (rfc1918) <---->
Private Network (not used as HTTP filtering causes extra load on firewall)


The gateway for firewall is the router IP address.
The gateway for public network is firewall DMZ interface address.

Thanks,
~Bhavin.

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, December 19, 2003 8:41 PM
Subject: Re: [Shorewall-users] Firewall Requirement

> On Fri, 19 Dec 2003, Bhavin Modi wrote:
>
> > I have a live class C network(on T1) which routes from the provider
through
> > a router on a /30 network.
> >
> > Router(/30) < -- > Firewall external interface (/30)
> >                                 |
> >                                 |----> Public Network (/24)  (I
have a
linux
> > proxy(squid) which serves the private network. I want to remove this.)
> >                                 |
> >                                 |----> Private Network (not used as
HTTP
> > filtering causes extra load on firewall)
> >
>
> The above is totally incomprehensible.....
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>

On Sat, 2003-12-20 at 09:33, Bhavin Modi wrote:
> I think I presented the network in a wrong manner.
> 
> Here is the correction.
> 
> Router(/30) < -- > Firewall external interface (/30)
>                                  |
>                           Firewall DMZ interface (/24) <----> Public
Network
> (/24)
>                                  |
>                           Firewall pvt. network interface (rfc1918)
<---->
> Private Network (not used as HTTP filtering causes extra load on firewall)
> 
> 
> The gateway for firewall is the router IP address.
> The gateway for public network is firewall DMZ interface address.
> 
To answer your first question, Yes Shorewall can be used in this
configuration.

You are going to have to do some reading though so you can ask more
specific questions about configuration; "How do I configure the above"
is asking us to do your job for you. I suggest that you start at
http://www.shorewall.net/shorewall_setup_guide.htm.

There are other users on the list that run high-volume Shorewall
configurations and hopefully they will be able to give you some advice
about the hardware requirements.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom.

I just wanted to make sure that I can use shorewall for my network.
After going through the documentation I know I can do a lot with shorewall.

Thanks again.
~Bhavin.

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, December 20, 2003 12:20 PM
Subject: Re: [Shorewall-users] Firewall Requirement

> On Sat, 2003-12-20 at 09:33, Bhavin Modi wrote:
> > I think I presented the network in a wrong manner.
> >
> > Here is the correction.
> >
> > Router(/30) < -- > Firewall external interface (/30)
> >                                  |
> >                           Firewall DMZ interface (/24) <---->
Public
Network
> > (/24)
> >                                  |
> >                           Firewall pvt. network interface (rfc1918)
<---->
> > Private Network (not used as HTTP filtering causes extra load on
firewall)
> >
> >
> > The gateway for firewall is the router IP address.
> > The gateway for public network is firewall DMZ interface address.
> >
>
> To answer your first question, Yes Shorewall can be used in this
> configuration.
>
> You are going to have to do some reading though so you can ask more
> specific questions about configuration; "How do I configure the
above"
> is asking us to do your job for you. I suggest that you start at
> http://www.shorewall.net/shorewall_setup_guide.htm.
>
> There are other users on the list that run high-volume Shorewall
> configurations and hopefully they will be able to give you some advice
> about the hardware requirements.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>