Shorewall users - Mar 2004 - [ADVICE NEEDED]

Good afternoon.

I''m about to start a firewalling project @ work. I have some experience
with Shorewall but nothin'' fancy; this time I''d like some
advice on best practices for a set up like the one I''ll describe.

What I need to do this time is based on the following network setup:

- There are two or more switches in every floor of the building I work in (10 in
total)
- Every switch is connected to a "final" switch, which also serves
some workstations.
- The "final" switch is conected to our ISP router.
- This router listens to two subnets: 148.202.86.0/24 and 148.202.98.0/24
- Currently, there''s just one subnet being used (148.202.86.0/24).
- The router is connected to a microwave antenna.
- Within my local LAN there are 3 public servers (email and web)

and has to meet this requirements:

1. Keep subnet 148.202.86.0/24 and assign IP addresses from it to workstations
that will have no restrictions accesing the Internet (although it could be
possible to blacklist some of them)
2. Set up a DHCP server in the same Firewall box so that it serves private IP
addresses (192.168.0.0/22) to workstations that will have restricted Internet
access, but will be able to share files and access local web and email servers.
3. Keep public and email server open.

Having the set this scenario, any ideas, thoughts or comments will be more than
welcome.

Best regards,

        Carlos

On Tue, 2 Mar 2004, Carlos Cajina - Hotmail wrote:
> Good afternoon.
>
> I''m about to start a firewalling project @ work. I have some
experience with Shorewall but nothin'' fancy; this time I''d
like some advice on best practices for a set up like the one I''ll
describe.
>
> What I need to do this time is based on the following network setup:
>
> - There are two or more switches in every floor of the building I work in
(10 in total)
> - Every switch is connected to a "final" switch, which also
serves some workstations.
> - The "final" switch is conected to our ISP router.
> - This router listens to two subnets: 148.202.86.0/24 and 148.202.98.0/24
> - Currently, there''s just one subnet being used (148.202.86.0/24).
> - The router is connected to a microwave antenna.
> - Within my local LAN there are 3 public servers (email and web)
>
> and has to meet this requirements:
>
> 1. Keep subnet 148.202.86.0/24 and assign IP addresses from it to
workstations that will have no restrictions accesing the Internet (although it
could be possible to blacklist some of them)
> 2. Set up a DHCP server in the same Firewall box so that it serves private
IP addresses (192.168.0.0/22) to workstations that will have restricted Internet
access, but will be able to share files and access local web and email servers.
> 3. Keep public and email server open.
>
> Having the set this scenario, any ideas, thoughts or comments will be more
than welcome.
>
I''m afraid that this mailing list doesn''t provide
firewall/network design
services. If you have specific questions, we will be happy to try to
answer them.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net