Hi, I''m new to shorewall and have been playing around with it for a few days and am about to deploy it. My network consists of 20 servers, each of them running a web/ftp server and email server and each with its own public ip. Currently I''ve got all the external and internal ip''s mapped in the nat config file. So my question is, what is the best way to setup the rules cofnig file and keep it clean? Is the best way to simply create www,ftp,email rules for each of the 20 public ip''s ? I also concerned about getting the rules setup properly so the outgoing connections use the appropriate public IP address. My Interfaces -------------- Eth0 = net Eth1 = loc ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com -------------------------------------------
Tyler Davis wrote:> Hi, > > I''m new to shorewall and have been playing around with it for a few days and > am about to deploy it. > > My network consists of 20 servers, each of them running a web/ftp server and > email server and each with its own public ip. > > Currently I''ve got all the external and internal ip''s mapped in the nat > config file. > So my question is, what is the best way to setup the rules cofnig file and > keep it clean? > Is the best way to simply create www,ftp,email rules for each of the 20 > public ip''s ?Why? Are there different firewalling requirements for the different servers? Why won''t: ACCEPT net loc tcp www,ftp,smtp work?> > I also concerned about getting the rules setup properly so the outgoing > connections use the appropriate public IP address.a) Do the servers really have different firewalling requirements for outbound connections? b) Entires in the rules file can''t change the public IP address used for outbound traffic from behind the firewall unless you use DNAT rules with an SNAT address (which would be a riduculous thing to do in your case). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
This was the exact reply I was looking for. My testing enviroment is extremely limited, so I wasn''t sure the rules would work propery like that with multple public ip''s. So it appears as long as they are configred properly in the nat file then all outgoing traffic is routed properly and one set of rules will work.. Thanks! ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Non scholae, sed vitae discimus. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, April 07, 2004 12:47 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Optimal Setup Tyler Davis wrote:> Hi, > > I''m new to shorewall and have been playing around with it for a few > days and am about to deploy it. > > My network consists of 20 servers, each of them running a web/ftp > server and email server and each with its own public ip. > > Currently I''ve got all the external and internal ip''s mapped in the > nat config file. > So my question is, what is the best way to setup the rules cofnig file > and keep it clean? > Is the best way to simply create www,ftp,email rules for each of the > 20 public ip''s ?Why? Are there different firewalling requirements for the different servers? Why won''t: ACCEPT net loc tcp www,ftp,smtp work?> > I also concerned about getting the rules setup properly so the > outgoing connections use the appropriate public IP address.a) Do the servers really have different firewalling requirements for outbound connections? b) Entires in the rules file can''t change the public IP address used for outbound traffic from behind the firewall unless you use DNAT rules with an SNAT address (which would be a riduculous thing to do in your case). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tyler Davis wrote:> This was the exact reply I was looking for. > > My testing enviroment is extremely limited, so I wasn''t sure the rules would > work propery like that with multple public ip''s. So it appears as long as > they are configred properly in the nat file then all outgoing traffic is > routed properly and one set of rules will work.. > > Thanks!You''re welcome -- glad you were able to see the essence of my response in spite all of the typos in it :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net