In an effert move my Dmz from a snapqear roouter to Linux with shorewall.
Question is I have network 64.42.53.200/29
which makes default gw 64.42.53.201 network 64.42.53.200 broadcast
64.42.53.207
mask 255.255.255.248 and I want to set up shorewall with eth0 64.42.53.202
eth1 local eth2 dmz where dmz will use say 64.42.53.203 for web and email
server.
Where I do not need or should I say use proxy arp in non routed. Could I
divide this network with say 255.255.255.252 mask
so I could reach my dmz server eth2 with the 64.42.53.203 address?
Thanks
Mike
On Mon, 2004-11-22 at 14:38 -0800, Mike Lander wrote:> In an effert move my Dmz from a snapqear roouter to Linux with shorewall. > Question is I have network 64.42.53.200/29 > which makes default gw 64.42.53.201 network 64.42.53.200 broadcast > 64.42.53.207 > mask 255.255.255.248 and I want to set up shorewall with eth0 64.42.53.202 > eth1 local eth2 dmz where dmz will use say 64.42.53.203 for web and email > server. > Where I do not need or should I say use proxy arp in non routed. Could I > divide this network with say 255.255.255.252 mask > so I could reach my dmz server eth2 with the 64.42.53.203 address?I''d use proxy ARP. The setup would acually look a lot like mine (http://shorewall.net/myfiles.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > I''d use proxy ARP. The setup would acually look a lot like mine > (http://shorewall.net/myfiles.htm). > > -TomIs your dsl modem running Nat why the 192.168.1.1? The reason I ask I all the CSU/DSU''s I am attempting to compare have nat turned off. Which bridges the fq ip''s to eth0 in the firewall It confuses me that your dsl modem 192.168.1.1 Mike
On Mon, 2004-11-22 at 15:56 -0800, Mike Lander wrote:> > > > I''d use proxy ARP. The setup would acually look a lot like mine > > (http://shorewall.net/myfiles.htm). > > > > -Tom > Is your dsl modem running Nat why the 192.168.1.1? The reason I ask > I all the CSU/DSU''s I am attempting to compare have nat turned off. > Which bridges the fq ip''s to eth0 in the firewall > It confuses me that your dsl modem 192.168.1.1It''s running as a bridge -- 192.168.1.1 is the IP address used to access the builtin web server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> Is your dsl modem running Nat why the 192.168.1.1? The reason I ask >> I all the CSU/DSU''s I am attempting to compare have nat turned off. >> Which bridges the fq ip''s to eth0 in the firewall >> It confuses me that your dsl modem 192.168.1.1 > > It''s running as a bridge -- 192.168.1.1 is the IP address used to access > the builtin web server. > > -TomOh, that essentially makes the admin config of the modem only available internally? Thanks Mike
On Mon, 2004-11-22 at 16:07 -0800, Mike Lander wrote:> >> Is your dsl modem running Nat why the 192.168.1.1? The reason I ask > >> I all the CSU/DSU''s I am attempting to compare have nat turned off. > >> Which bridges the fq ip''s to eth0 in the firewall > >> It confuses me that your dsl modem 192.168.1.1 > > > > It''s running as a bridge -- 192.168.1.1 is the IP address used to access > > the builtin web server. > > > > -Tom > Oh, that essentially makes the admin config of the modem only available > internally? >Yes. And why waste a public IP address on a Westel1 2200. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Mon, 2004-11-22 at 14:38 -0800, Mike Lander wrote: >> In an effert move my Dmz from a snapqear roouter to Linux with shorewall. >> Question is I have network 64.42.53.200/29 >> which makes default gw 64.42.53.201 network 64.42.53.200 broadcast >> 64.42.53.207 >> mask 255.255.255.248 and I want to set up shorewall with eth0 >> 64.42.53.202 >> eth1 local eth2 dmz where dmz will use say 64.42.53.203 for web and email >> server. >> Where I do not need or should I say use proxy arp in non routed. >> Could I >> divide this network with say 255.255.255.252 mask >> so I could reach my dmz server eth2 with the 64.42.53.203 address? > > I''d use proxy ARP. The setup would acually look a lot like mine > (http://shorewall.net/myfiles.htm). > > -Tom-- note mistake above this is routed network In the above slash 29 network 64.42.53.202 fedora shorewall is net eth0 to move the (web server and mail server 64.42.53.203 micro$2000 server iis5 and imail) to a dmz with proxy arp. Is this the correct procedure. 1. Assign the web server 64.42.53.203 ip masq 255.255.255.248 gw 64.42.53.201 on its interface and in my case since there is one dmz server hook with crossover cable to eth2 the dmz interface. 2 Assign eth2 192.168.200.1 masq 255.255.255.248 gw 64.42.53.201 on eth2 and do proxy arp /etc/proxyarp #ADDRESS EXTERNAL INTERFACE HAVE ROUTE 64.42.53.203 eth0 eth2 No 3. leave eth0 the same 64.42.53.202 masq 255.255.255.248 gw 64.42.53.201 on eth0 4 leave local eth1 the same 10.19.227.20 masq 255.255.255.0 gw 64.42.53.201 on eth1 Then the policys and rules that apply to dmz stuff One thing that confused me on your net work example Tom is you DNat smtp but not web traffic you just accept web traffic to dmz not dnat it also the micro$ server uses 1433 to sql over the internet so I wonder if I need Dnat for 25 and 1433 sql The dmz server does 21,25,80,110,imap,443,1433 the 1433sql Thank you, Mike
On Tue, 2004-11-23 at 11:28 -0800, Mike Lander wrote:> -- note mistake above this is routed network > > In the above slash 29 network 64.42.53.202 fedora shorewall is net eth0 > to move the (web server and mail server 64.42.53.203 micro$2000 server iis5 > and imail) to a dmz with proxy arp. > Is this the correct procedure.In any routing senario, you need to ensure two things: a) Incoming traffic destined for hosts on the other side of the router must be directed to the router. b) Outgoing traffic to those hosts must be routed correctly. An entry in /etc/shorewall/proxyarp with ''No'' in the HAVEROUTE column ensures both of these. But in a routed setup, a) isn''t an issue since by definition the upstream router is already sending traffic for the hosts behind the router to the router itself. In other words, in a routed setup Proxy ARP is overkill (although it won''t hurt anything).> 1. Assign the web server 64.42.53.203 ip masq 255.255.255.248 gw > 64.42.53.201 on its interface > and in my case since there is one dmz server hook with crossover cable to > eth2 the dmz interface.If you don''t user proxy arp, you will want to the server''s gateway to be 64.42.53.202 (IP address of eth0 on the firewall).> 2 Assign eth2 192.168.200.1 masq 255.255.255.248 gw 64.42.53.201 on eth2 > and do proxy arpThe configuration of eth2 is largely irrelevant but you certainly don''t want to confuse things by assigning any default gateway out of that interface. I personally would configure it as 64.42.53.202/32 as described in the Shorewall proxy ARP docs.> /etc/proxyarp > #ADDRESS EXTERNAL INTERFACE HAVE ROUTE > 64.42.53.203 eth0 eth2 NoI would just configure a host route to 64.42.53.203 on eth2.> > 3. leave eth0 the same 64.42.53.202 masq 255.255.255.248 gw 64.42.53.201 on > eth0 > 4 leave local eth1 the same 10.19.227.20 masq 255.255.255.0 gw 64.42.53.201 > on eth1 > Then the policys and rules that apply to dmz stuff > One thing that confused me on your net work example Tom is you DNat smtp but > not web trafficI DNAT smtp traffic sent to the hosts handled with static NAT to have it sent to the SMTP server in the DMZ. This compensates for an occasional screwup where a mailer I''m trying out autoconfigures my email address as ''teastep@ursa.shorewall.net'' rather than ''teastep@shorewall.net''.> you just accept web traffic to dmz not dnat it > also the micro$ server uses 1433 to sql over the internet so I wonder if I > need Dnat for 25 and 1433 sql > The dmz server does 21,25,80,110,imap,443,1433 the 1433sqlUnless you are like me and have traffic being sent to the wrong host occasionally, there is no need to use DNAT in this setup. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> >> -- note mistake above this is routed network >> >> In the above slash 29 network 64.42.53.202 fedora shorewall is net eth0 >> to move the (web server and mail server 64.42.53.203 micro$2000 server >> iis5 >> and imail) to a dmz with proxy arp. >> Is this the correct procedure. > > In any routing senario, you need to ensure two things: > > a) Incoming traffic destined for hosts on the other side of the router > must be directed to the router. > > b) Outgoing traffic to those hosts must be routed correctly. > > An entry in /etc/shorewall/proxyarp with ''No'' in the HAVEROUTE column > ensures both of these. But in a routed setup, a) isn''t an issue since by > definition the upstream router is already sending traffic for the hosts > behind the router to the router itself. > > In other words, in a routed setup Proxy ARP is overkill (although it > won''t hurt anything). > >> 1. Assign the web server 64.42.53.203 ip masq 255.255.255.248 gw >> 64.42.53.201 on its interface >> and in my case since there is one dmz server hook with crossover cable >> to >> eth2 the dmz interface. > > If you don''t user proxy arp, you will want to the server''s gateway to be > 64.42.53.202 (IP address of eth0 on the firewall). > > The configuration of eth2 is largely irrelevant but you certainly don''t > want to confuse things by assigning any default gateway out of that > interface. I personally would configure it as 64.42.53.202/32 as > described in the Shorewall proxy ARP docs. > >> /etc/proxyarp >> #ADDRESS EXTERNAL INTERFACE HAVE ROUTE >> 64.42.53.203 eth0 eth2 No > > I would just configure a host route to 64.42.53.203 on eth2.If I dont use proxy arp. In your routed example you use a FQ ip on eth2 so with the host in dmz 64.42.53.203 would eth2 have to use a FQIP? say eth2 64.42.53.205 Mike
On Tue, 2004-11-23 at 14:12 -0800, Mike Lander wrote:> > If you don''t user proxy arp, you will want to the server''s gateway to be > > 64.42.53.202 (IP address of eth0 on the firewall). > > > > The configuration of eth2 is largely irrelevant but you certainly don''t > > want to confuse things by assigning any default gateway out of that > > interface. I personally would configure it as 64.42.53.202/32 as > > described in the Shorewall proxy ARP docs. > > > >> /etc/proxyarp > >> #ADDRESS EXTERNAL INTERFACE HAVE ROUTE > >> 64.42.53.203 eth0 eth2 No > > > > I would just configure a host route to 64.42.53.203 on eth2. > > > If I dont use proxy arp. In your routed example you use a FQ ip on eth2 > so with the host in dmz 64.42.53.203 would eth2 have to use a FQIP? > say eth2 64.42.53.205Mike, read what I wrote! I am recommending that eth2 be configured as 64.42.53.202/32. There is absolutely no point in wasting one of your public IP addresses on eth2 when you can re-use the IP of eth0 and configure a host route to your single DMZ host. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> If I dont use proxy arp. In your routed example you use a FQ ip on eth2 >> so with the host in dmz 64.42.53.203 would eth2 have to use a FQIP? >> say eth2 64.42.53.205 > > Mike, read what I wrote! I am recommending that eth2 be configured as > 64.42.53.202/32. There is absolutely no point in wasting one of your > public IP addresses on eth2 when you can re-use the IP of eth0 and > configure a host route to your single DMZ host.Tom Sorry, I thought you recommended it only in case I use proxy arp. I think I will understand when I get some hands on experiance better. In fact at this time I am firing up an old shorewall server to practice with on my network with. I have been reading for 10 hrs at least. Because I will be moving Ipec tunnel off of this shorewall box and much more work to do after I get this DMZ up. Thanks, Mike