Hello all,
I have a question in regards to proxyarp and shorewall, I am new to shorewall
and I have 5 static IP address from my ISP. My current setup is that I have
one system with three network cards, (eth0 = xx.xx.xx.42, eth1 = 192.168.110.41
eth2 = 10.10.10.41), two systems with two network cards, (eth0 = xx.xx.xx.41
and eth1 = 10.10.10.42/44), I want to get rid of the eth1 of the two systems
and place them in the dmz using proxyarp within shorewall. All the eth0 and
the DSL modem is all plugged into a linksys 10/100mb switch, all the
eth2''s
(DMZ 10.x.x.x) are plugged into another linksys 10/100/1000mb switch and the
eth1 (Loc 192.x.x.x) are plugged into another 10/100mb switch. I know that
this is not a safe setup so I have looked at doing some firewall setup. All
the machines in DMZ and Internet are linux systems. I would like to remove
the two machines from the Internet machine, but I am currently using those
machines for DNS/WWW/SMTP. I have read a little about proxyarp, but briefly
tried it out and was unsuccessful to access those systems, I do see some
stuff fly by when I do a tcpdump -nei eth0 icmp, I also see traffic on my
two linux systems that i have setup to filter all the traffic coming in or
out by using iptables to log everything. I am wondering if I have set
something up wrong.
The setup that I want is to have the firewall machine plugged into the
DSL modem and two switches - one for the DMZ and one for the Internal.
I would like to know on the DMZ systems, from what I read, that I must
setup the DMZ systems with the static routable IP that I have received
from my ISP and to setup the default gateway the same as my firewall.
How long after the configuration change - since they are parallel to
the firewall now - would it take for, if the setup/config files are correct,
the systems to start receiving and sending data?
Here are my files that I have setup in shorewall for this configuration, tell
me if you see anything that I might have done wrong:
Thanks
Shorewall Administrator (Bryan)
~~~~~~~~~~ config files ~~~~~~~~~~~~~
/etc/shorewall/proxyarp
xx.xx.xx.41 eth2 eth0 No
xx.xx.xx.44 eth2 eth0 No
/etc/shorewall/masq
eth0 192.168.110.0/24 xx.xx.xx.43
/etc/shorewall/interfaces
net Net Internet
loc Local Local Networks
dmz DMZ Demilitarized Zone
/etc/shorewall/rules
ACCEPT net dmz:xx.xx.xx.41 tcp 25
ACCEPT fw dmz:xx.xx.xx.41 tcp 25
ACCEPT loc dmz:xx.xx.xx.44 tcp 25
ACCEPT loc dmz:xx.xx.xx.44 tcp 110
ACCEPT dmz:xx.xx.xx.44 net tcp 25
ACCEPT net dmz:xx.xx.xx.41 tcp 80
ACCEPT loc dmz:xx.xx.xx.41 tcp 80
ACCEPT net dmz:xx.xx.xx.44 tcp 80
ACCEPT loc dmz:xx.xx.xx.44 tcp 80
ACCEPT net dmz:xx.xx.xx.44 tcp 143
ACCEPT loc dmz:xx.xx.xx.44 tcp 143
ACCEPT net dmz:xx.xx.xx.44 tcp 220
ACCEPT loc dmz:xx.xx.xx.44 tcp 220
ACCEPT net dmz:xx.xx.xx.44 tcp 993
ACCEPT loc dmz:xx.xx.xx.44 tcp 993
ACCEPT net dmz:xx.xx.xx.41 tcp 443
ACCEPT loc dmz:xx.xx.xx.41 tcp 443
ACCEPT net dmz:xx.xx.xx.41 udp 53
ACCEPT net dmz:xx.xx.xx.41 tcp 53
ACCEPT loc dmz:xx.xx.xx.44 udp 53
ACCEPT loc dmz:xx.xx.xx.44 tcp 53
ACCEPT loc dmz:xx.xx.xx.41 udp 53
ACCEPT loc dmz:xx.xx.xx.41 tcp 53
ACCEPT dmz:xx.xx.xx.41 net udp 53
ACCEPT dmz:xx.xx.xx.41 net tcp 53
ACCEPT net fw tcp 22
ACCEPT loc dmz tcp 22
ACCEPT fw dmz tcp 22
#################################
##### MISC RULES #####
#################################
# Make ping work bi-directionally between the dmz, net, Firewall and local zon
e
# (assumes that the loc-> net policy is ACCEPT).
#
#ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw dmz icmp