Hello all: I''ve read the documentation and am not quite sure where to start. What I''m trying to do is build a network with a 3 NIC Shorewall router. My system is behind a routed /49 network. I''d like to use 2 or 3 of the static IP addresses for my DMZ ( DNS server, mail, webserver etc ) and then have my remaining machines in a private network NATed is some way. My private network machines need to be able to access the DMZ machines of course. My network IP''s are as follows: Network IP: 66.80.68.80 Gateway: 66.80.68.81 ( Efficient 5851 SDSL [ATM] Router ) Routable IP''s: 66.80.68.82 - 66.80.68.86 Broadcast IP: 66.80.68.87 Subnet mask: 255.255.255.248 I need some help in setting this up. I''ve read the documentation and I''m not quite sure and I don''t want to mess things up as I am hosting several sites now. I figured it was time to set things up properly, but I just don''t have the networking background to fully comprehend the documentation... I have two seperate switches... one will be for the DMZ and the other will be for the private network. Thanks all, -- Jim Norton - http://www.jimnorton.org "The art of listening is indispensable for the right use of the mind. It is also the most gracious, the most open and the most generous of human habits." (Attributed to R. Barr, St. John''s College, Annapolis, MD)
On Sun, 2004-11-28 at 12:08 -0800, Jim Norton wrote:> Hello all: > > I''ve read the documentation and am not quite sure where to start. > What I''m trying to do is build a network with a 3 NIC Shorewall router. > > My system is behind a routed /49 network.Surely not (there are only 32 bits in an IPV4 address).> > I''d like to use 2 or 3 of the static IP addresses for my DMZ ( DNS server, mail, webserver etc ) and > then have my remaining machines in a private network NATed is some way. > > My private network machines need to be able to access the DMZ machines of course. > > My network IP''s are as follows: > > Network IP: 66.80.68.80 > Gateway: 66.80.68.81 ( Efficient 5851 SDSL [ATM] Router ) > Routable IP''s: 66.80.68.82 - 66.80.68.86 > Broadcast IP: 66.80.68.87 > Subnet mask: 255.255.255.248Ok -- your network is a /29 and from the point of view of your firewall, it is NOT routed. The bulk of the Shorewall Setup Guide covers a setup almost identical to yours. And while not quite the same, my setup (http://shorewall.net/myfiles.htm) is also rather similar (the difference being that my 5 usable IP addresses are part of a /24 rather than a /29).> > I need some help in setting this up. I''ve read the documentation and I''m not quite sure and I don''t > want to mess things up as I am hosting several sites now. > > I figured it was time to set things up properly, but I just don''t have the networking background to > fully comprehend the documentation...If you have specific questions, I will try to help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, Nov 28, 2004 at 12:52:55PM -0800, Tom Eastep wrote:> On Sun, 2004-11-28 at 12:08 -0800, Jim Norton wrote: > > Ok -- your network is a /29 and from the point of view of your firewall, > it is NOT routed. The bulk of the Shorewall Setup Guide covers a setup > almost identical to yours. And while not quite the same, my setup > (http://shorewall.net/myfiles.htm) is also rather similar (the > difference being that my 5 usable IP addresses are part of a /24 rather > than a /29). > > > > > I need some help in setting this up. I''ve read the documentation and I''m not quite sure and I don''t > > want to mess things up as I am hosting several sites now. > > > > I figured it was time to set things up properly, but I just don''t have the networking background to > > fully comprehend the documentation... > > If you have specific questions, I will try to help. > > -TomThanks Tom... I''ll give a look at your config files... -- Jim Norton - http://www.jimnorton.org "The art of listening is indispensable for the right use of the mind. It is also the most gracious, the most open and the most generous of human habits." (Attributed to R. Barr, St. John''s College, Annapolis, MD)
On Sun, 2004-11-28 at 12:56 -0800, Jim Norton wrote:> > Thanks Tom... I''ll give a look at your config files...You might also look at the recent List Archives for posts from Mike Lander -- he is setting up a firewall similar to yours and has had some questions about my configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, Nov 28, 2004 at 12:52:55PM -0800, Tom Eastep wrote:> On Sun, 2004-11-28 at 12:08 -0800, Jim Norton wrote: > > Hello all: > > > > I''ve read the documentation and am not quite sure where to start. > > What I''m trying to do is build a network with a 3 NIC Shorewall router. > > > > My system is behind a routed /49 network. > > Surely not (there are only 32 bits in an IPV4 address). > > > > > I''d like to use 2 or 3 of the static IP addresses for my DMZ ( DNS server, mail, webserver etc ) and > > then have my remaining machines in a private network NATed is some way. > > > > My private network machines need to be able to access the DMZ machines of course. > > > > My network IP''s are as follows: > > > > Network IP: 66.80.68.80 > > Gateway: 66.80.68.81 ( Efficient 5851 SDSL [ATM] Router ) > > Routable IP''s: 66.80.68.82 - 66.80.68.86 > > Broadcast IP: 66.80.68.87 > > Subnet mask: 255.255.255.248 > > Ok -- your network is a /29 and from the point of view of your firewall, > it is NOT routed. The bulk of the Shorewall Setup Guide covers a setup > almost identical to yours. And while not quite the same, my setup > (http://shorewall.net/myfiles.htm) is also rather similar (the > difference being that my 5 usable IP addresses are part of a /24 rather > than a /29). > > > > > I need some help in setting this up. I''ve read the documentation and I''m not quite sure and I don''t > > want to mess things up as I am hosting several sites now. > > > > I figured it was time to set things up properly, but I just don''t have the networking background to > > fully comprehend the documentation... > > If you have specific questions, I will try to help. > > -TomTom, Here is the information that my router provides when I telnet into it and issue CLI commands: Efficient 5851 SDSL [ATM] Router (5851-012) v5.3.80 Ready Login: Logged in successfully! # eth list GLOBAL BRIDGING/ROUTING SETTINGS: Bridging enabled..................... no Exchange spanning tree with dest... yes Bridge only PPPoE with dest........ no IP Routing enabled................... yes Multicast forwarding enabled....... no Firewall filter enabled ........... yes Directed Broadcasts Allowed........ no RIP Multicast address.............. default VRRP Multicast address............. default IPX Routing enabled.................. no ETHERNET INFORMATION FOR <ETHERNET/0> Hardware MAC address................. 00:20:6F:0D:1C:3C Send IP RIP to the LAN............... rip-1 compatible Advertise me as default router..... yes Process IP RIP packets received...... rip-1 compatible Receive default route by RIP....... yes IP address translation............... no IP filters defined................... no IP address/subnet mask............... 66.80.68.81/255.255.255.248 Management IP address/subnet mask.... 0.0.0.0/0.0.0.0 Static Ethernet routes defined....... none Virtual Ethernet routes defined...... none IPX External network number.......... 00000000 IPX Frame type....................... 802.2 MTU.................................. default Now one difference between my setup and yours is that my router is configured with a public IP address instead of a private address. The routers IP address is the same as my networks gateway address. If I''m reading the output properly, my SDSL router is routing packets. With this information, what changes do I make to your configuration files to work for my setup? Sorry for the basic questions, I''m so very new to this... -- Jim Norton - http://www.jimnorton.org "The art of listening is indispensable for the right use of the mind. It is also the most gracious, the most open and the most generous of human habits." (Attributed to R. Barr, St. John''s College, Annapolis, MD)
On Sun, 2004-11-28 at 14:26 -0800, Jim Norton wrote:> > With this information, what changes do I make to your configuration files to work for my setup?None! Your router corresponds to my ISP''s router (which of course also has a public IP address). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key