Shorewall users - Sep 2004 - Shorewall as a "commercial" firewall

I am considering replacing my old checkpoint and watchguard firewalls witha 
single Linux box using iptables and shorewall.  I have two ISP''s (with 
separate routing tables), two DMZ''s, at least one VPN to a remote
office, and
a local trusted network. The configuration will look like:

               +----------------+
               |                |
net0 ----------+ eth1      eth3 +---- DMZ0 (~20 nodes)
               |                |
net1 ----------+ eth2      eth4 +---- DMZ1 (~5 nodes)
               |       eth0     |
               +--------+-------+
                        |
                        |
                      Local (~120 nodes) 

The 1.544 M$ question is can Shorewall handle this kind of a setup? 
I''ve used
shorewall for my home network but has anyone out there used it in the kind of 
environment shown above?

-- 
Stephen Carville
Unix and Network Adminstrator
DPSI
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Stephen Carville wrote:
>I am considering replacing my old checkpoint and watchguard firewalls witha 
>single Linux box using iptables and shorewall.  I have two ISP''s
(with
>separate routing tables), two DMZ''s, at least one VPN to a remote
office, and
>a local trusted network. The configuration will look like:
>
>               +----------------+
>               |                |
>net0 ----------+ eth1      eth3 +---- DMZ0 (~20 nodes)
>               |                |
>net1 ----------+ eth2      eth4 +---- DMZ1 (~5 nodes)
>               |       eth0     |
>               +--------+-------+
>                        |
>                        |
>                      Local (~120 nodes) 
>
>The 1.544 M$ question is can Shorewall handle this kind of a setup? 
I''ve used
>shorewall for my home network but has anyone out there used it in the kind
of
>environment shown above?
>  
>
I have a similar setup except with only one DMZ and different ethX 
numbers for each network.

Works great.  I was using FIAIF before, but Shorewall is much simpler to 
setup and still offers more functionality.

Mike

and harden the os of course to be more secure


On Fri, 03 Sep 2004 13:32:01 -0700, Mike Fedyk <mfedyk@matchmail.com>
wrote:
> Stephen Carville wrote:
> 
> >I am considering replacing my old checkpoint and watchguard firewalls
witha
> >single Linux box using iptables and shorewall.  I have two
ISP''s (with
> >separate routing tables), two DMZ''s, at least one VPN to a
remote office, and
> >a local trusted network. The configuration will look like:
> >
> >               +----------------+
> >               |                |
> >net0 ----------+ eth1      eth3 +---- DMZ0 (~20 nodes)
> >               |                |
> >net1 ----------+ eth2      eth4 +---- DMZ1 (~5 nodes)
> >               |       eth0     |
> >               +--------+-------+
> >                        |
> >                        |
> >                      Local (~120 nodes)
> >
> >The 1.544 M$ question is can Shorewall handle this kind of a setup? 
I''ve used
> >shorewall for my home network but has anyone out there used it in the
kind of
> >environment shown above?
> >
> >
> I have a similar setup except with only one DMZ and different ethX
> numbers for each network.
> 
> Works great.  I was using FIAIF before, but Shorewall is much simpler to
> setup and still offers more functionality.
> 
> Mike
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hi there,

I have more then one customer running this kind of setup. I avoided to 
replace Checkpoints with Netfilter/Iptables/Shorewall where VPN (IPSEC) 
was part of the game but as long as it is pure firewalling the 
Netfilter/Iptables/Shorewall combo does a nice job.

-- 
Axel Westerhold
Congos Inc.
Technical Lead
PK: 1EF597FA



Stephen Carville wrote:
>I am considering replacing my old checkpoint and watchguard firewalls witha 
>single Linux box using iptables and shorewall.  I have two ISP''s
(with
>separate routing tables), two DMZ''s, at least one VPN to a remote
office, and
>a local trusted network. The configuration will look like:
>
>               +----------------+
>               |                |
>net0 ----------+ eth1      eth3 +---- DMZ0 (~20 nodes)
>               |                |
>net1 ----------+ eth2      eth4 +---- DMZ1 (~5 nodes)
>               |       eth0     |
>               +--------+-------+
>                        |
>                        |
>                      Local (~120 nodes) 
>
>The 1.544 M$ question is can Shorewall handle this kind of a setup? 
I''ve used
>shorewall for my home network but has anyone out there used it in the kind
of
>environment shown above?
>
>  
>
-- 
Axel Westerhold
Congos Inc.
Technical Lead
Tel: (+49) 5732 688040
Cell: (+49) 171 9754 756
PK: 1EF597FA

On Mon, 6 Sep 2004, Axel Westerhold wrote:

- Hi there,
- 
- I have more then one customer running this kind of setup. I avoided to 
- replace Checkpoints with Netfilter/Iptables/Shorewall where VPN (IPSEC) 
- was part of the game but as long as it is pure firewalling the 
- Netfilter/Iptables/Shorewall combo does a nice job.

I am plannning on using OpenVPN to replace the IPSEC tunnels.  I''ve
been testing it between my home firewall and my testbed at work.  So
far it has proven to be very robust.  Survived several reboots, a DSL
outages, and adds about two or three millisecond or two to round trip 
times.

--
Stephen

Well,

it''s not that much stabability which let me keep Checkpoint but 
capability and ease of managment. Most of our Checkpoint installs are 
running 10+ LAN-to-LAN tunnels in addition to roadworrier 
configurations. The management and logging facilities are simply better 
for day to day work and troubleshooting. In addition, while OpenVPN is 
stable and nice in an environement you control completely I normally 
fight with Ciscos, Linux, BSD/MacOs, Watchguard, Astaro etc. connecting 
to my gateways. So I have to use IPSEC.

At all, as said, if this is a closed enviroment shorewall will be able 
to configure your netfilter to work fast and stable.

-- 
Axel Westerhold
Congos Inc.
Technical Lead
PK: 1EF597FA



Stephen Carville wrote:
>On Mon, 6 Sep 2004, Axel Westerhold wrote:
>
>- Hi there,
>- 
>- I have more then one customer running this kind of setup. I avoided to 
>- replace Checkpoints with Netfilter/Iptables/Shorewall where VPN (IPSEC) 
>- was part of the game but as long as it is pure firewalling the 
>- Netfilter/Iptables/Shorewall combo does a nice job.
>
>I am plannning on using OpenVPN to replace the IPSEC tunnels.  I''ve
>been testing it between my home firewall and my testbed at work.  So
>far it has proven to be very robust.  Survived several reboots, a DSL
>outages, and adds about two or three millisecond or two to round trip 
>times.
>
>--
>Stephen
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>  
>

On Mon, 6 Sep 2004, Axel Westerhold wrote:

- 
- Well,
- 
- it''s not that much stabability which let me keep Checkpoint but 
- capability and ease of managment. Most of our Checkpoint installs are 
- running 10+ LAN-to-LAN tunnels in addition to roadworrier 
- configurations. The management and logging facilities are simply better 
- for day to day work and troubleshooting. In addition, while OpenVPN is 
- stable and nice in an environement you control completely I normally 
- fight with Ciscos, Linux, BSD/MacOs, Watchguard, Astaro etc. connecting 
- to my gateways. So I have to use IPSEC.
- 
- At all, as said, if this is a closed enviroment shorewall will be able 
- to configure your netfilter to work fast and stable.
- 

A warning on Watchguard and Checkpoint:

A virus that recently broke out in a remote office was probing
192.168.120.0/24 for infectable machines over a VPN link.  This
network is reached by routing the request thru the Checkpoint to a
Watchguard Firebox.  If the particular destination address does not
happen to exist on the FB side, The Firebox returns an ICMP port
unreachable packet using the original destination address on the SYN
packets as the source address for the ICMP packet.  Checkpoint sees
this packet and adds the address to its licensed host file.  Once the
number of licensed hosts exceeds about 125% of the license limit (100
in this case), the Checkpoint slows down to where it is almost
useless.

It generally took an infected machine about 120 seconds to generate 
254 SYN packets so even the trick of clearing the hosts file by 
deleting fwd.h and fwd.hosts didn''t do any good.

--
Stephen

> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net] On 
> Behalf Of Stephen Carville
> Sent: Tuesday, 7 September 2004 3:31 AM
> To: Mailing List for Shorewall Users
> Subject: Re: [Shorewall-users] Shorewall as a "commercial"
firewall
> 
> On Mon, 6 Sep 2004, Axel Westerhold wrote:
> 
> -
> - Well,
> -
> - it''s not that much stabability which let me keep Checkpoint but
> - capability and ease of managment. Most of our Checkpoint 
> installs are
> - running 10+ LAN-to-LAN tunnels in addition to roadworrier
> - configurations. The management and logging facilities are 
> simply better
> - for day to day work and troubleshooting. In addition, while 
> OpenVPN is
> - stable and nice in an environement you control completely I normally
> - fight with Ciscos, Linux, BSD/MacOs, Watchguard, Astaro 
> etc. connecting
> - to my gateways. So I have to use IPSEC.
> -
> - At all, as said, if this is a closed enviroment shorewall 
> will be able
> - to configure your netfilter to work fast and stable.
> - 
> 
> A warning on Watchguard and Checkpoint:
> 
> A virus that recently broke out in a remote office was probing
> 192.168.120.0/24 for infectable machines over a VPN link.  
> This network is reached by routing the request thru the 
> Checkpoint to a Watchguard Firebox.  If the particular 
> destination address does not happen to exist on the FB side, 
> The Firebox returns an ICMP port unreachable packet using the 
> original destination address on the SYN packets as the source 
> address for the ICMP packet.  Checkpoint sees this packet and 
> adds the address to its licensed host file.  Once the number 
> of licensed hosts exceeds about 125% of the license limit 
> (100 in this case), the Checkpoint slows down to where it is 
> almost useless.
> 
> It generally took an infected machine about 120 seconds to generate
> 254 SYN packets so even the trick of clearing the hosts file 
> by deleting fwd.h and fwd.hosts didn''t do any good.
> 
>From that I gather that the virus caused Checkpoint to cause a DOS on its
own network?

I have steered clear of Firewall hardware/software that have a number of
users attached to their licensing, especially when it is enforced with
potentially very disruptive results, like this.

I am now using shorewall on many sites, several of which are on Gentoox on
Xboxes, I have found that it does all I need and then some, and some of the
situations I am dealing with are _extremely_ complex, with traffic shaping,
asymetric routes, MAC tables, Snat, Dnat, Ipsec passthrough, Reflecting,
Reverse Proxying, Transparrent proxying with content filtering, etc...

Quite frankly, "Thrilled" would be a word that aptly describes my
opinion of
Shorewall.

Regards,
T