I''ve just started to use shorewall and now require 2 nics in one machine, not sure how to setup the second nic? I''m connected to ADSL through a 4 port router and have a 1 sticky IP address, which hasn''t changed for sometime. My understanding is that the first nic is eth0 and the second one is eth1. eth0 is using a static internal address 10.1.2.* /255.0.0.0 and connected to the internet. Another question if i want to secure my network what subnet should I use (ie /24) instead of listing all the ip addresses.? Thanks Badboy
I''ve just started to use shorewall and now require 2 nics in one machine, not sure how to setup the second nic? I''m connected to ADSL through a 4 port router and have a 1 sticky IP address, which hasn''t changed for sometime. My understanding is that the first nic is eth0 and the second one is eth1. eth0 is using a static internal address 10.1.2.* /255.0.0.0 and connected to the internet. Another question if i want to secure my network what subnet should I use (ie /24) instead of listing all the ip addresses.? Thanks Badboy
On 26 Apr 2004 at 21:48, mlist wrote:> I''ve just started to use shorewall and now require 2 nics in one > machine, not sure how to setup the second nic? I''m connected to ADSL > through a 4 port router and have a 1 sticky IP address, whichhasn''t> changed for sometime. > > My understanding is that the first nic is eth0 and the second oneis> eth1. eth0 is using a static internal address 10.1.2.* /255.0.0.0and> connected to the internet. Another question if i want to secure my > network what subnet should I use (ie /24) instead of listing allthe> ip addresses.? > > Thanks > > BadboySet up eth1 to use any private subnet, such as 192.169.0.1-255. Set eth1 as static IP 192.168.0.1 mask 255.255.255.0 Set up dhcpd to service eth1 with IPs in the 192.169.0.* subnet so that other machines will connect to the second nic and obtain an IP automatically. Set the ADSL to route everything to your machine (sometimes this is refered to as a DMZ machine in the ADSL routers. Note... You may want to evaluate whether you need shorewall at all if your Router is capable of being configured to route specific types of connections to specific machines. It may provide all the protection you need. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
mlist wrote:> I''ve just started to use shorewall and now require 2 nics in one machine, not > sure how to setup the second nic? I''m connected to ADSL through a 4 port > router and have a 1 sticky IP address, which hasn''t changed for sometime. > > My understanding is that the first nic is eth0 and the second one is eth1. > eth0 is using a static internal address 10.1.2.* /255.0.0.0 and connected to > the internet. Another question if i want to secure my network what subnet > should I use (ie /24) instead of listing all the ip addresses.?First of all, it is very unclear to me what benefit you would derive from adding a Shorewall box behind your current router. The fact that the address that your current eth0 is using is 10.1.2.x means that the router (or a router ahead of it) is doing NAT so the only inbound connections that are possible are those that the router is configured to allow. So unless you are planning to replace the current 4-port router with the Shorewall box and a switch, I personnally wouldn''t bother. If you still want to go ahead, I would configure the Shorewall box as a bridge (see http://shorewall.net/bridge.html). You can then just keep your current IP addresses (the bridge itself will be given eth0''s former IP address; the NICs themselves aren''t configured with addresses). In general, you can''t predict in what order NICs will be detected by your kernel. If you add a second NIC, it could very well be detected first and would then become eth0 while your existing card would suddenly become eth1. If the card use different drivers, you can control which order the cards are detected in by the order of loading the drivers (usually, you would list the driver modules in /etc/modules in the order that you want them loaded). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 26 Apr 2004 at 22:48, mlist wrote:> On Monday 26 Apr 2004 10:10 pm, John S. Andersen wrote: > > Thanks for the info. Is it possible to continue to use ip 10.*.*.* > rather than 192.*.*.* and use static addresses instead of DHCP.Yes, see Tom''s reply.> The > router is capable of routing specif types of connections tospecific> machines. I''ve setup port forwarding to my email server. > > My router also has a firewall built in but unable to use itproperly> because it uses IPchains or IPtables, not sure which one, so Ithought> if I start using Shorewall it would give me an understanding of how > IPtables works.While shorewall is very helpful in helping you set up a iptables firewall, it does not teach much about iptables. Its TOO Successfull at what it set out to do, namely make Iptables accessable and easy to use. On the other hand even knowing a lot about IPtables won''t help you as far as managing your ASDL router, as it is undoubtedly all managed by a web interface. You just set up other routes thru the router the same way you set up port forwarding to your email server.> Are you saying because I have a router I don''t need to have asoftware> firewall on my system?Exactly. Let the router route what you want, and let it block what you don''t want. That is what Tom and I both said, you may not need shorewall. If all your machines can get an IP from the router via dhcp, you may not need shorewall at all. On the other hand if the router is set up to ONLY serve one internal IP, then you may need shorewall after all. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
On Monday 26 Apr 2004 10:10 pm, John S. Andersen wrote: Thanks for the info. Is it possible to continue to use ip 10.*.*.* rather than 192.*.*.* and use static addresses instead of DHCP. The router is capable of routing specif types of connections to specific machines. I''ve setup port forwarding to my email server. My router also has a firewall built in but unable to use it properly because it uses IPchains or IPtables, not sure which one, so I thought if I start using Shorewall it would give me an understanding of how IPtables works. Are you saying because I have a router I don''t need to have a software firewall on my system? Badboy> On 26 Apr 2004 at 21:48, mlist wrote: > > I''ve just started to use shorewall and now require 2 nics in one > > machine, not sure how to setup the second nic? I''m connected to ADSL > > through a 4 port router and have a 1 sticky IP address, which > > hasn''t > > > changed for sometime. > > > > My understanding is that the first nic is eth0 and the second one > > is > > > eth1. eth0 is using a static internal address 10.1.2.* /255.0.0.0 > > and > > > connected to the internet. Another question if i want to secure my > > network what subnet should I use (ie /24) instead of listing all > > the > > > ip addresses.? > > > > Thanks > > > > Badboy > > Set up eth1 to use any private subnet, such as 192.169.0.1-255. > Set eth1 as static IP 192.168.0.1 mask 255.255.255.0 > Set up dhcpd to service eth1 with IPs in the 192.169.0.* subnet > so that other machines will connect to the second nic and > obtain an IP automatically. > > Set the ADSL to route everything to your machine (sometimes > this is refered to as a DMZ machine in the ADSL routers. > > > Note... > You may want to evaluate whether you need shorewall at all if > your Router is capable of being configured to route specific > types of connections to specific machines. It may provide > all the protection you need.
On Monday 26 Apr 2004 10:35 pm, Tom Eastep wrote: Thanks. Coming from Windows I thought I would need a firewall setup on my linux system. I will have a look at the article about bridging. Badboy> mlist wrote: > > I''ve just started to use shorewall and now require 2 nics in one machine, > > not sure how to setup the second nic? I''m connected to ADSL through a 4 > > port router and have a 1 sticky IP address, which hasn''t changed for > > sometime. > > > > My understanding is that the first nic is eth0 and the second one is > > eth1. eth0 is using a static internal address 10.1.2.* /255.0.0.0 and > > connected to the internet. Another question if i want to secure my > > network what subnet should I use (ie /24) instead of listing all the ip > > addresses.? > > First of all, it is very unclear to me what benefit you would derive > from adding a Shorewall box behind your current router. The fact that > the address that your current eth0 is using is 10.1.2.x means that the > router (or a router ahead of it) is doing NAT so the only inbound > connections that are possible are those that the router is configured to > allow. > > So unless you are planning to replace the current 4-port router with the > Shorewall box and a switch, I personnally wouldn''t bother. > > If you still want to go ahead, I would configure the Shorewall box as a > bridge (see http://shorewall.net/bridge.html). You can then just keep > your current IP addresses (the bridge itself will be given eth0''s former > IP address; the NICs themselves aren''t configured with addresses). > > In general, you can''t predict in what order NICs will be detected by > your kernel. If you add a second NIC, it could very well be detected > first and would then become eth0 while your existing card would suddenly > become eth1. If the card use different drivers, you can control which > order the cards are detected in by the order of loading the drivers > (usually, you would list the driver modules in /etc/modules in the order > that you want them loaded). > > -Tom
On Monday 26 Apr 2004 10:45 pm, John S. Andersen wrote:> On 26 Apr 2004 at 22:48, mlist wrote: > > On Monday 26 Apr 2004 10:10 pm, John S. Andersen wrote: > > > > Thanks for the info. Is it possible to continue to use ip 10.*.*.* > > rather than 192.*.*.* and use static addresses instead of DHCP. > > Yes, see Tom''s reply. > > > The > > router is capable of routing specif types of connections to > > specific > > > machines. I''ve setup port forwarding to my email server. > > > > My router also has a firewall built in but unable to use it > > properly > > > because it uses IPchains or IPtables, not sure which one, so I > > thought > > > if I start using Shorewall it would give me an understanding of how > > IPtables works. > > While shorewall is very helpful in helping you set up a iptables > firewall, it does not teach much about iptables. Its TOO Successfull > at what it set out to do, namely make Iptables accessable and > easy to use. > > On the other hand even knowing a lot about IPtables > won''t help you as far as managing your > ASDL router, as it is undoubtedly all managed by > a web interface. You just set up other routes thru the > router the same way you set up port forwarding to your > email server.The only way to configure the firewall is to telnet into the router and use raw codes.> > > Are you saying because I have a router I don''t need to have a > > software > > > firewall on my system? > > Exactly. Let the router route what you want, and let it block > what you don''t want. > > That is what Tom and I both said, you may not need > shorewall. If all your machines can get an IP from the > router via dhcp, you may not need shorewall at all. > > On the other hand if the router is set up to ONLY serve > one internal IP, then you may need shorewall after all.The router can use DHCP for the whole Network. Thanks Badboy