I''d like to retire my old 486 / RH 7.3 firewall and setup shorewall on my biz DSL connection under Fedora Core 1 or TSL 2.0 on a P166 or better. I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using DHCP. I''d like to set up forwarding of ssh, http, https, dns, from 1 external nic to my DMZ (as I have now). The second external NIC I''d like to forward to my secondary DNS server in the DMZ. Can I do this, will it work? Can you suggest how I might do this? As I posted before, my ISP assigns my "static" IPs using DHCP, but only allows one MAC address per IP.
On Tue, 2004-01-06 at 00:26, rmillisl@millis-it.com wrote:> I''d like to retire my old 486 / RH 7.3 firewall and setup shorewall on my > biz DSL connection under Fedora Core 1 or TSL 2.0 on a P166 or better. > > I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using DHCP. > > I''d like to set up forwarding of ssh, http, https, dns, from 1 external > nic to my DMZ (as I have now). > > The second external NIC I''d like to forward to my secondary DNS server in > the DMZ. > > Can I do this, will it work? Can you suggest how I might do this? As I > posted before, my ISP assigns my "static" IPs using DHCP, but only allows > one MAC address per IP.It seems like you might be over-complicating the setup here. From your description, it sounds like you have multiple IP addrs on your DSL connection and you want to be able to use one addr for ssh/http/dns and the other addr for your other dns in the DMZ. You don''t need two nics to handle this.
rmillisl@millis-it.com wrote ..> I''d like to retire my old 486 / RH 7.3 firewall and setup shorewall on > my > biz DSL connection under Fedora Core 1 or TSL 2.0 on a P166 or better. > > I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using DHCP. > > I''d like to set up forwarding of ssh, http, https, dns, from 1 external > nic to my DMZ (as I have now). > > The second external NIC I''d like to forward to my secondary DNS server > in > the DMZ. > > Can I do this, will it work? Can you suggest how I might do this? As I > posted before, my ISP assigns my "static" IPs using DHCP, but only allows > one MAC address per IP. > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello Randy, I have read doco on arp that will allow you to create interfaces with a mac address but I have never done it and by the tone of the doco it was not recommended. The purpose of mac is to be unique to the hardware the address is assigned to: in this case a nic ethernet card. I have only 2 nics one of which is a local subnet lan. On the subnet I run a mix of Windblows and Linux boxes. The Linux boxes have NFS shares so I do what I want using a class C ip addressing scheme. I also have a biz DSL but I have real static IPs none of which would be of any use to me if assigned by my ISP using DHCP. Send a diagram of your network topology and I will study this more. Or use my chat server: irc.icis.webitplanet.com. Thanks, David.
On Monday 05 January 2004 09:26 pm, rmillisl@millis-it.com wrote:> I''d like to retire my old 486 / RH 7.3 firewall and setup shorewall on my > biz DSL connection under Fedora Core 1 or TSL 2.0 on a P166 or better. > > I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using DHCP. > > I''d like to set up forwarding of ssh, http, https, dns, from 1 external > nic to my DMZ (as I have now). > > The second external NIC I''d like to forward to my secondary DNS server in > the DMZ. > > Can I do this, will it work?Yes.> Can you suggest how I might do this?Assign two interfaces to the ''net'' zone in /etc/shorewall/interfaces then qualify the source of your port forwarding rules with the interface: DNAT net:eth0 dmz:...> As I > posted before, my ISP assigns my "static" IPs using DHCP, but only allows > one MAC address per IP. >Probably only one IP address per MAC, right? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
--- Tom Eastep <teastep@shorewall.net> wrote:> On Monday 05 January 2004 09:26 pm, rmillisl@millis-it.com wrote: > > I''d like to retire my old 486 / RH 7.3 firewall and setup shorewall > on my > > biz DSL connection under Fedora Core 1 or TSL 2.0 on a P166 or > better. > > > > I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using > DHCP. > > > > I''d like to set up forwarding of ssh, http, https, dns, from 1 > external > > nic to my DMZ (as I have now). > > > > The second external NIC I''d like to forward to my secondary DNS > server in > > the DMZ. > > > > Can I do this, will it work? > > Yes. > > > Can you suggest how I might do this? > > Assign two interfaces to the ''net'' zone in /etc/shorewall/interfaces > then > qualify the source of your port forwarding rules with the interface: > > DNAT net:eth0 dmz:...Can''t he run into problems with this type of setup if his masq file isn''t setup correctly. SNAT wise. I.E. Connections come in from the internet into one ip but the return syn/ack response leaves exiting with a different ip address? Just a heads up if this is the case wich I think it is if your using anything other than static (one to one) nat, or specifically have your masq file setup to snat accordingly. You would need to take dns mappings into account here as well especially to include reverse mappings. I''m fairly confident that my assumption is correct but if its not, sorry. I''m sure Tom or one of the other experienced users can confirm what I''m talking about. HTH''s, Joshua Banks __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
On Tuesday 06 January 2004 08:36 am, Joshua Banks wrote:> > Can''t he run into problems with this type of setup if his masq file > isn''t setup correctly. SNAT wise. > I.E. > Connections come in from the internet into one ip but the return > syn/ack response leaves exiting with a different ip address? > Just a heads up if this is the case wich I think it is if your using > anything other than static (one to one) nat, or specifically have your > masq file setup to snat accordingly. > You would need to take dns mappings into account here as well > especially to include reverse mappings. > > I''m fairly confident that my assumption is correct but if its not, > sorry. I''m sure Tom or one of the other experienced users can confirm > what I''m talking about.He has a single ISP -- so the usual problems about routing (FAQ 32) shouldn''t apply (unless his ISP is doing MAC verification as well as DHCP enforcement). As you point out, he does need to SNAT out of both interfaces though. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Jim James H. Thompson jht@lava.net ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Experienced Shorewall Users" <shorewall-users@lists.shorewall.net>; "Joshua Banks" <l0f33t@yahoo.com> Sent: Tuesday, January 06, 2004 6:40 AM Subject: Re: [Shorewall-users] Shorewall with 4 nics / 2 external> On Tuesday 06 January 2004 08:36 am, Joshua Banks wrote: > > > > > Can''t he run into problems with this type of setup if his masq file > > isn''t setup correctly. SNAT wise. > > I.E. > > Connections come in from the internet into one ip but the return > > syn/ack response leaves exiting with a different ip address? > > Just a heads up if this is the case wich I think it is if your using > > anything other than static (one to one) nat, or specifically have your > > masq file setup to snat accordingly. > > You would need to take dns mappings into account here as well > > especially to include reverse mappings. > > > > I''m fairly confident that my assumption is correct but if its not, > > sorry. I''m sure Tom or one of the other experienced users can confirm > > what I''m talking about. > > He has a single ISP -- so the usual problems about routing (FAQ 32) shouldn''t > apply (unless his ISP is doing MAC verification as well as DHCP enforcement). > As you point out, he does need to SNAT out of both interfaces though. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
--- "James H. Thompson" <jht@lava.net> wrote:> > Jim > > James H. Thompson > jht@lava.net >I don''t understand your response above. Thanks, Joshua Banks> > On Tuesday 06 January 2004 08:36 am, Joshua Banks wrote: > > > > > > > > Can''t he run into problems with this type of setup if his masq > file > > > isn''t setup correctly. SNAT wise. > > > I.E. > > > Connections come in from the internet into one ip but the return > > > syn/ack response leaves exiting with a different ip address? > > > Just a heads up if this is the case wich I think it is if your > using > > > anything other than static (one to one) nat, or specifically have > your > > > masq file setup to snat accordingly. > > > You would need to take dns mappings into account here as well > > > especially to include reverse mappings. > > > > > > I''m fairly confident that my assumption is correct but if its > not, > > > sorry. I''m sure Tom or one of the other experienced users can > confirm > > > what I''m talking about. > > > > He has a single ISP -- so the usual problems about routing (FAQ 32) > shouldn''t > > apply (unless his ISP is doing MAC verification as well as DHCP > enforcement). > > As you point out, he does need to SNAT out of both interfaces > though.__________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
>> I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using >> DHCP. >> >> I''d like to set up forwarding of ssh, http, https, dns, from 1 >> external nic to my DMZ (as I have now). >> >> The second external NIC I''d like to forward to my secondary DNS server >> in the DMZ. >> >> Can I do this, will it work? Can you suggest how I might do this? As I >> posted before, my ISP assigns my "static" IPs using DHCP, but only >> allows one MAC address per IP.> It seems like you might be over-complicating the setup here. From your > description, it sounds like you have multiple IP addrs on your DSL > connection and you want to be able to use one addr for ssh/http/dns and > the other addr for your other dns in the DMZ. You don''t need two nics > to handle this.Ok, how might I go about this? I have 2 external IP''s, one for primary DNS, one for secondary, I am allowed one external IP per MAC address?
This should help... It''s just the same isp and gateway.... http://shorewall.net/FAQ.htm#faq32 then here: http://shorewall.net/three-interface.htm download the three-interface example then create a net1 zone for the second public interface in the zone file. assign the new zone to the interface in the interfaces file set the policy for net1 and use the net1 zone in the DNAT rules for the second DNS server.. You''ll just need to ensure that the secondary server gets masq''d to the correct address.. in the masq file.. eth3 $IPDNS2 $PUBIP2 eth0 eth1 $PUBIP1 eth0 eth2 $PUBIP1 Hope is helps and I''m not leading you astray... Jerry Vonau ----- Original Message ----- From: <rmillisl@millis-it.com> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, January 07, 2004 00:05 Subject: Re: [Shorewall-users] Shorewall with 4 nics / 2 external>> I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using >> DHCP. >> >> I''d like to set up forwarding of ssh, http, https, dns, from 1 >> external nic to my DMZ (as I have now). >> >> The second external NIC I''d like to forward to my secondary DNSserver>> in the DMZ. >> >> Can I do this, will it work? Can you suggest how I might do this?As I>> posted before, my ISP assigns my "static" IPs using DHCP, but only >> allows one MAC address per IP.> It seems like you might be over-complicating the setup here. Fromyour> description, it sounds like you have multiple IP addrs on your DSL > connection and you want to be able to use one addr for ssh/http/dnsand> the other addr for your other dns in the DMZ. You don''t need twonics> to handle this.Ok, how might I go about this? I have 2 external IP''s, one for primary DNS, one for secondary, I am allowed one external IP per MAC address? _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2004-01-07 at 01:05, rmillisl@millis-it.com wrote:> >> I''d like to have a NIC for DMZ, LAN and 2 external NICS, both using > >> DHCP. > >> > >> I''d like to set up forwarding of ssh, http, https, dns, from 1 > >> external nic to my DMZ (as I have now). > >> > >> The second external NIC I''d like to forward to my secondary DNS server > >> in the DMZ. > >> > >> Can I do this, will it work? Can you suggest how I might do this? As I > >> posted before, my ISP assigns my "static" IPs using DHCP, but only > >> allows one MAC address per IP. > > > > It seems like you might be over-complicating the setup here. From your > > description, it sounds like you have multiple IP addrs on your DSL > > connection and you want to be able to use one addr for ssh/http/dns and > > the other addr for your other dns in the DMZ. You don''t need two nics > > to handle this. > > Ok, how might I go about this? > > I have 2 external IP''s, one for primary DNS, one for secondary, I am > allowed one external IP per MAC address?I just wonder if you have the one external IP per MAC address part right. I''ve never heard of ISPs doing anything exactly like that. Besides, You will have some funky routing if you have two interfaces on the same subnet like that. You would have to get into some iproute2 rules to determine which traffic goes out which interface, etc. Assuming that the one-ip-per-mac bit isn''t exactly correct, you could use the ''nat'' file to statically nat the second IP address to your second DMZ server. Both IP addressess would wind up being bound to the one interface as eth0 and eth0:1, etc. Very common setup. -- David T Hollis <dhollis@davehollis.com>