I think this can be a FAQ, but I haven''t find a simple answer. My need is having shorewall to a gw that have more than 3 phisical intefaces: eth0, ... eth5 where: eth0 net eth1 loc1 (192.168.1.x) eth2 loc2 (192.168.2.x) eth3 loc3 (192.168.3.x) eth4 dmz1 (10.10.1.a) eth5 dmz2 (10.20.1.b) Where I can find sample files for this type of configuration? Regards, B.
Barbara M. wrote:> I think this can be a FAQ, but I haven''t find a simple answer. > My need is having shorewall to a gw that have more than 3 phisical > intefaces: > > eth0, ... eth5 > > where: > > eth0 net > > eth1 loc1 (192.168.1.x) > eth2 loc2 (192.168.2.x) > eth3 loc3 (192.168.3.x) > > eth4 dmz1 (10.10.1.a) > eth5 dmz2 (10.20.1.b) > > Where I can find sample files for this type of configuration?There are none. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 09:52 AM 6/29/2004, Barbara M. wrote:>I think this can be a FAQ, but I haven''t find a simple answer. >My need is having shorewall to a gw that have more than 3 phisical >intefaces: > >eth0, ... eth5Use the three-interface quick guide, and modify it according to your needs. I have just built a five-interface firewall using Shorewall 2.0.2 and everything went very smoothly. Cheers, -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
On Tue, 29 Jun 2004, Rodolfo J. Paiz wrote:> At 09:52 AM 6/29/2004, Barbara M. wrote: > > >I think this can be a FAQ, but I haven''t find a simple answer. > >My need is having shorewall to a gw that have more than 3 phisical > >intefaces: > > > >eth0, ... eth5 > > Use the three-interface quick guide, and modify it according to your needs. > I have just built a five-interface firewall using Shorewall 2.0.2 and > everything went very smoothly.What are the modifications needed/suggested? Regards, B.
At 11:38 AM 6/29/2004, Barbara M. wrote:> > Use the three-interface quick guide, and modify it according to your > needs. > > I have just built a five-interface firewall using Shorewall 2.0.2 and > > everything went very smoothly. > >What are the modifications needed/suggested?Create more zones if you need them, create more interfaces since you have them, then modify masq and rules or whatever else to suit your specific needs. Cheers, -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
Barbara M. wrote:>On Tue, 29 Jun 2004, Rodolfo J. Paiz wrote: > > > >>At 09:52 AM 6/29/2004, Barbara M. wrote: >> >> >> >>>I think this can be a FAQ, but I haven''t find a simple answer. >>>My need is having shorewall to a gw that have more than 3 phisical >>>intefaces: >>> >>>eth0, ... eth5 >>> >>> >>Use the three-interface quick guide, and modify it according to your needs. >>I have just built a five-interface firewall using Shorewall 2.0.2 and >>everything went very smoothly. >> >> > >What are the modifications needed/suggested? > >No modifications needed, other than defining interfaces, zones, and policies. I''ve got two 6 NIC Shorewalls and I love them. My only suggestion is to use the same NICs so you only have two load one or two kernel modules. -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
Rodolfo J. Paiz wrote:> At 11:38 AM 6/29/2004, Barbara M. wrote: > >> > Use the three-interface quick guide, and modify it according to your >> needs. >> > I have just built a five-interface firewall using Shorewall 2.0.2 and >> > everything went very smoothly. >> >> What are the modifications needed/suggested? > > > Create more zones if you need them, create more interfaces since you > have them, then modify masq and rules or whatever else to suit your > specific needs.Although more zones are only needed/recommended if you have need for firewalling between the similar interfaces (e.g., between dmz1 and dmz2); otherwise, just assign both eth4 and eth5 to a single dmz zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Rodolfo J. Paiz wrote: >> At 11:38 AM 6/29/2004, Barbara M. wrote: >> >>> > Use the three-interface quick guide, and modify it according to your >>> needs. >>> > I have just built a five-interface firewall using Shorewall 2.0.2 and >>> > everything went very smoothly. >>> >>> What are the modifications needed/suggested? >> >> >> Create more zones if you need them, create more interfaces since you >> have them, then modify masq and rules or whatever else to suit your >> specific needs. > > Although more zones are only needed/recommended if you have need for > firewalling between the similar interfaces (e.g., between dmz1 and > dmz2); otherwise, just assign both eth4 and eth5 to a single dmz zone. >nice... that never occurred to me, I just set up four zones :) -- Jack At Monkeynoodle.Org: It''s A Scientific Venture... "Every gun that is made, every warship launched, every rocket fired, signifies in the final sense a theft from those who hunger and are not fed, those who are cold and are not clothed." -- President Dwight D. Eisenhower, April 16, 1953
Tom Eastep wrote:> Although more zones are only needed/recommended if you have need for > firewalling between the similar interfaces (e.g., between dmz1 and > dmz2); otherwise, just assign both eth4 and eth5 to a single dmz zone.Why? Is there some advantage to using two or three NICs for a single zone?
Matt Burleigh wrote:> Tom Eastep wrote: > >> Although more zones are only needed/recommended if you have need for >> firewalling between the similar interfaces (e.g., between dmz1 and >> dmz2); otherwise, just assign both eth4 and eth5 to a single dmz zone. > > > Why? Is there some advantage to using two or three NICs for a single zone?Intra-zone traffic is accepted by default. So why go to the bother of defining ACCEPT policies between your dmz* zones if you don''t have to? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 29 Jun 2004 at 14:00, Tom Eastep wrote:> Matt Burleigh wrote: > > Tom Eastep wrote: > > > >> Although more zones are only needed/recommended if you have need > >> for firewalling between the similar interfaces (e.g., betweendmz1> >> and dmz2); otherwise, just assign both eth4 and eth5 to a single > >> dmz zone. > > > > > > Why? Is there some advantage to using two or three NICs for asingle> > zone? > > Intra-zone traffic is accepted by default. So why go to the botherof> defining ACCEPT policies between your dmz* zones if you don''t haveto? I think Matt''s question was more geared toward finding out WHY there are two nics to the DMZ rather than having it all on one Nic... -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
----- Original Message ----- From: "Tom Eastep"> Intra-zone traffic is accepted by default. So why go to the bother of > defining ACCEPT policies between your dmz* zones if you don''t have to?To funny. I didn''t know that. But then again I''ve never needed more than 3 interfaces. I always assumed that you had to specify rules between subnetworks/interfaces regardless of Zones to get traffic to work. I guess what I assumed was.. (regarding traffic flow) "what''s not implicitly allowed is denied by default".. hmmmm :) Time to whip out my Brown Paper bag. 2 ply actually. So, Tom, what your saying, is if I have a 3 interface setup with a DMZ zone. And decide to add 4 more physical interfaces to that zone. Then I don''t need to do anything to the "rules" file or "policy" file to allow all new networks within the DMZ zone to inter-communicate? Just modify the masq file and that''s it? Thanks. OT.. for your reading pleasure.. this is why I/you should listen to your elders. They have allot of insight and humor.. :D http://www.inthesetimes.com/site/main/article/cold_turkey/ Joshua Banks
Tom Eastep wrote:> Intra-zone traffic is accepted by default. So why go to the bother of > defining ACCEPT policies between your dmz* zones if you don''t have to?I was kinda hoping for some performance benefit. I''m not grasping how your example works. So I would define two interfaces for a single zone? How would you write your ACCEPT policy for that?
> Tom Eastep wrote: > >> Although more zones are only needed/recommended if you have need for >> firewalling between the similar interfaces (e.g., between dmz1 and >> dmz2); otherwise, just assign both eth4 and eth5 to a single dmz zone. > > Why? Is there some advantage to using two or three NICs for a single zone? >not really -- just if you''ve got several physical segments that should all have the same policy, you can define that policy for one zone instead of repeating it across several zones (not to mention inter-zone policy). -- Jack At Monkeynoodle.Org: It''s A Scientific Venture... "Every gun that is made, every warship launched, every rocket fired, signifies in the final sense a theft from those who hunger and are not fed, those who are cold and are not clothed." -- President Dwight D. Eisenhower, April 16, 1953
Matt Burleigh wrote:> Tom Eastep wrote: > >> Intra-zone traffic is accepted by default. So why go to the bother of >> defining ACCEPT policies between your dmz* zones if you don''t have to? > > > I was kinda hoping for some performance benefit.There is a modest performance benefit because the traffic is simply ACCEPTed rather than jumping off to some policy chain like dmz12dmz2 (read "dmz1 to dmz2" ) which contains an ACCEPT rule.> I''m not grasping how your example works. > So I would define two interfaces for a single zone?Yes: /etc/shorewall/interfaces: dmz eth2 dmz eth3 ...> How would you write your ACCEPT policy for that?You don''t have to write any policy or any rules for traffic to be accepted between interfaces in the same zone. You can if you want do but you don''t have to and it''s slightly slower if you do (for the same reason mentioned above). /etc/shorewall/policy: dmz dmz ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
John S. Andersen wrote:> > I think Matt''s question was more geared toward finding out WHY there > are > two nics to the DMZ rather than having it all on one Nic... >You''ll have to ask the original poster why that''s being done. The two-interface quickstart guide shows a case where it makes sense to have two interfaces to the ''loc'' zone (section entitied "Adding a Wireless Segment to Your Two-interface Firewall"). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks wrote:> ----- Original Message ----- > From: "Tom Eastep" > > >>Intra-zone traffic is accepted by default. So why go to the bother of >>defining ACCEPT policies between your dmz* zones if you don''t have to? > > > To funny. I didn''t know that. But then again I''ve never needed more than 3 > interfaces. > I always assumed that you had to specify rules between > subnetworks/interfaces regardless of Zones to get traffic to work. I guess > what I assumed was.. (regarding traffic flow) "what''s not implicitly allowed > is denied by default".. hmmmm :) Time to whip out my Brown Paper bag. 2 ply > actually.Given that zones are the basic building blocks of firewalling policy, it doesn''t make much sense to disallow traffic within a zone. The only time that you have to do something to enable intra-zone traffic is if the Shorewall box is expected to route traffic intra-zone traffic out the same inteface that it came in on; in that case, you need to specify the ''routeback'' option on the interface.> > So, Tom, what your saying, is if I have a 3 interface setup with a DMZ zone. > And decide to add 4 more physical interfaces to that zone. Then I don''t need > to do anything to the "rules" file or "policy" file to allow all new > networks within the DMZ zone to inter-communicate? Just modify the masq file > and that''s it?That''s it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
John S. Andersen wrote:> ... > > I think Matt''s question was more geared toward finding out WHY there > are two nics to the DMZ rather than having it all on one Nic...One reason might be that it''s cheaper to buy an extra NIC than to buy one NIC & one switch... -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Matt Burleigh wrote:> ... > No modifications needed, other than defining interfaces, zones, and > policies. I''ve got two 6 NIC Shorewalls and I love them. My only > suggestion is to use the same NICs so you only have two load one or two > kernel modules.My suggestion is to use as many different types as you can so you can tell which one is which if your modules.conf gets stuffed up. :-) -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> John S. Andersen wrote: > >>... >> >>I think Matt''s question was more geared toward finding out WHY there >>are two nics to the DMZ rather than having it all on one Nic... > > > One reason might be that it''s cheaper to buy an extra NIC than to buy > one NIC & one switch...In that case, I think I would bridge the NICs rather than make a two-interface zone. In /etc/shorewall/interfaces, associate the zone with the bridge device and specify ''routeback''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 29 Jun 2004, Tom Eastep wrote:> John S. Andersen wrote: > > > > > I think Matt''s question was more geared toward finding out WHY there > > are > > two nics to the DMZ rather than having it all on one Nic... > > > > You''ll have to ask the original poster why that''s being done. The > two-interface quickstart guide shows a case where it makes sense to have > two interfaces to the ''loc'' zone (section entitied "Adding a Wireless > Segment to Your Two-interface Firewall").My idea is having 3 local and 2 dmz segment phisically disconnected. So if my situation is: eth0 net eth1 loc1 (192.168.1.x) eth2 loc2 (192.168.2.x) eth3 loc3 (192.168.3.x) eth4 dmz1 (10.10.1.a) eth5 dmz2 (10.20.1.b) No traffic between loc[123] ad no traffic between dmz[12]. If I have understand I only need to add in ------------------------------- /etc/shorewall/interfaces: loc eth1 loc eth2 loc eth3 dmz eth4 dmz eth5 ------------------------------- Other changes? Regards, B.
Barbara M. wrote:>On Tue, 29 Jun 2004, Tom Eastep wrote: > > > >>John S. Andersen wrote: >> >> >> >>>I think Matt''s question was more geared toward finding out WHY there >>>are >>>two nics to the DMZ rather than having it all on one Nic... >>> >>> >>> >>You''ll have to ask the original poster why that''s being done. The >>two-interface quickstart guide shows a case where it makes sense to have >>two interfaces to the ''loc'' zone (section entitied "Adding a Wireless >>Segment to Your Two-interface Firewall"). >> >> > >My idea is having 3 local and 2 dmz segment phisically disconnected. >So if my situation is: > >eth0 net > >eth1 loc1 (192.168.1.x) >eth2 loc2 (192.168.2.x) >eth3 loc3 (192.168.3.x) > >eth4 dmz1 (10.10.1.a) >eth5 dmz2 (10.20.1.b) > > >No traffic between loc[123] ad no traffic between dmz[12]. > >If I have understand I only need to add in > >------------------------------- >/etc/shorewall/interfaces: > >loc eth1 >loc eth2 >loc eth3 >dmz eth4 >dmz eth5 >------------------------------- > >To allow traffic from loc[123] and dmz[12] to the Internet you''ll need to a policy like this: /etc/shorewall/policy loc1 net ACCEPT loc2 net ACCEPT loc3 net ACCEPT dmz1 net ACCEPT dmz2 net ACCEPT To provide masquerading for these zones you need something like this: (assuming eth0 is your Internet interface) /etc/shorewall/nat eth0 eth1 eth0 eth2 eth0 eth3 eth0 eth4 eth0 eth5 And of course define your zones something like this: /etc/shorewall/zones net Net Internet loc1 Local1 Local1 Network loc2 Local2 Local2 Network loc3 Local3 Local3 Network dmz1 DMZ1 DMZ1 Network dmz2 DMZ2 DMZ2 Network That ought to do the basics. -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
Barbara M. wrote:> ... > My idea is having 3 local and 2 dmz segment phisically disconnected. > So if my situation is: > ... > No traffic between loc[123] ad no traffic between dmz[12]. > > If I have understand I only need to add in > > ------------------------------- > /etc/shorewall/interfaces: > > loc eth1 > loc eth2 > loc eth3 > dmz eth4 > dmz eth5 > -------------------------------No - if you expect the traffic to be controlled between those interfaces, they need to be in *different* zones, and you need to set appropriate policies between them and all your other zones. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> Barbara M. wrote: > >>... >>My idea is having 3 local and 2 dmz segment phisically disconnected. >>So if my situation is: >>... >>No traffic between loc[123] ad no traffic between dmz[12]. >> >>If I have understand I only need to add in >> >>------------------------------- >>/etc/shorewall/interfaces: >> >>loc eth1 >>loc eth2 >>loc eth3 >>dmz eth4 >>dmz eth5 >>------------------------------- > > > No - if you expect the traffic to be controlled between those > interfaces, they need to be in *different* zones, and you need to set > appropriate policies between them and all your other zones.She can also control traffic betwwn the interfaces by adding these to the /etc/shorewall/policy file: loc loc REJECT dmz dmz REJECT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 05:32 PM 6/29/2004, Tom Eastep wrote:>Paul Gear wrote: >>One reason might be that it''s cheaper to buy an extra NIC than to buy >>one NIC & one switch... > >In that case, I think I would bridge the NICs rather than make a >two-interface zone. In /etc/shorewall/interfaces, associate the zone with >the bridge device and specify ''routeback''.Perhaps it''s as simple as that she only has two systems in the DMZ, so as Paul suggested two $7 NIC''s are cheaper than a $7 NIC and a $25 switch. Just a thought. Cheers, -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
Rodolfo J. Paiz wrote:> At 05:32 PM 6/29/2004, Tom Eastep wrote: > >> Paul Gear wrote: >> >>> One reason might be that it''s cheaper to buy an extra NIC than to buy >>> one NIC & one switch... >> >> >> In that case, I think I would bridge the NICs rather than make a >> two-interface zone. In /etc/shorewall/interfaces, associate the zone >> with the bridge device and specify ''routeback''. > > > Perhaps it''s as simple as that she only has two systems in the DMZ, so > as Paul suggested two $7 NIC''s are cheaper than a $7 NIC and a $25 > switch. Just a thought. >I wasn''t disagreeing with Paul''s economics -- I simply said that if two NICs are used rather than a NIC and a Switch then I would bridge the two NICs and put the two DMZ systems in the same network rather than routing through the firewall between two different networks. The physical diagram is the same but I believe that my way results in a less complicated setup. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 09:01 AM 7/1/2004, Tom Eastep wrote:>I wasn''t disagreeing with Paul''s economics -- I simply said that if two >NICs are used rather than a NIC and a Switch then I would bridge the two >NICs and put the two DMZ systems in the same network rather than routing >through the firewall between two different networks. The physical diagram >is the same but I believe that my way results in a less complicated setup.I understand better now. My lack of understanding of bridging got in the way (since I still don''t grok it, but at least can comprehend the idea). -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
On 1 Jul 2004 at 8:47, Rodolfo J. Paiz wrote:> At 05:32 PM 6/29/2004, Tom Eastep wrote: > >Paul Gear wrote: > >>One reason might be that it''s cheaper to buy an extra NIC than to > >>buy one NIC & one switch... > > > >In that case, I think I would bridge the NICs rather than make a > >two-interface zone. In /etc/shorewall/interfaces, associate thezone> >with the bridge device and specify ''routeback''. > > Perhaps it''s as simple as that she only has two systems in the DMZ,so> as Paul suggested two $7 NIC''s are cheaper than a $7 NIC and a $25 > switch. Just a thought. > > Cheers,Not when you throw in two hours of tech time spent batting this idea around, opening the box, adding a nic, reconfiguring shorewall, and slapping forehead three months from now when the third box arrives in the DMZ. It seems a penny wize and pound foolish implimentation to me. Most folks can scrounge an old 10meg hub. Spend the $25. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Tom Eastep wrote:> ... > I simply said that if two NICs are used rather than a NIC and a > Switch then I would bridge the two NICs and put the two DMZ systems > in the same network rather than routing through the firewall > between two different networks. The physical diagram is the same > but I believe that my way results in a less complicated setup.I tend to prefer them to be in separate zones, unless they have a specific need to communicate. That is why i would choose not to bridge and would probably choose multiple NICs in the firewall rather than a switch. In my opinion, a setup with DMZ servers individually attached to the outer guard and managed via NAT or proxy ARP is slightly more secure than one where they reside on the same segment. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> In my opinion, a setup with DMZ servers individually > attached to the outer guard and managed via NAT or proxy ARP is > slightly more secure than one where they reside on the same segment.You raise a good point -- the compromise of one DMZ server won''t necessarily compromise the other if there''s firewalling between them. Still, with Shorewall Bridge support, one can isolate the servers in the bridge config as well. In that case, though, it *does* make sense to use two zones: /etc/shorewall/zones: dmz1 DMZ-1 dmz2 DMZ-2 /etc/shorewall/interfaces: - br0 detect /etc/shorewall/hosts: dmz1 br0:eth2 dmz2 br0:eth3 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net