Shorewall users - Dec 2004 - two firewall and shorewall

Hi,

in my lan I have two firewall, fw1 is the first and manage inte-vlan routing.

Fw2 manage internet and dmz.

fw1 and fw2 have an interface (eth4 for both fw2 and fw1) on the same
subnet that permit to the host behind fw1 to reach internet,

my problem is on fw2:

eth4 is the NIC that connect fw2 and fw1, I would''t like masquerading
hosts behind fw1, so to eth4 of fw2 arrive all traffic from the vlan
managed by fw1,

what is the best way to manage this traffic with shorewall?

I have to define the fw1''s zones also in fw2 and then use somenthig
like
this:

zones:

loc11     Local11    LAN 10.88.11.0 behind fw1
loc22     Local22    LAN 10.88.22.0 behind fw1
loc33     Local33    LAN 10.88.33.0 behind fw1

interfaces:

-

Hi,

I have some isuues using two firewall and shorewall:

I have the following network:


             net
              |eth0
              |
              |
        eth2  |   eth1
   dmz2----- fw2 ----- dmz1
              |
              | eth4
              |
              | eth4
              |
  loc22------fw1--------loc11
         eth3 |    eth2
              |
              | eth1
              |
             loc33

there are two firewall, fw1 manage intervlan routing and fw2 network access,

they have an ethernet card (eth4 for both) on the same subnet and though
the ethernety card eth4 of fw2 arrive all the traffic on the vlan towards
internet.

I would not like to masquerading vlan traffic, what is the best way to
manage this with shorewall?

I have to do something like on fw2:

zones

loc11     Local11    Loc net 10.88.11.0 managed by fw1
loc22     Local22    Loc net 10.88.22.0 managed by fw1
loc33     Local33    Loc net 10.88.33.0 managed by fw1

interfaces

-         eth4       10.88.11.255,10.88.22.255,10.88.33.255   routeback

hosts:

loc11     eth4:10.88.11.0/24
loc22     eth4:10.88.22.0/24
loc33     eth4:10.88.33.0/24

or there is a best/another way?

for example define one zone for eth4

thanks

Nicola

On Mon, 2004-12-06 at 17:20 +0100, Nicola Murino wrote:
> 
> for example define one zone for eth4
That''s what I would do, unless you have different requirements for
internet access for the various VLANs.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>> for example define one zone for eth4
>That''s what I would do, unless you have different requirements for
>internet access for the various VLANs.
Yes there are different requirements for the internet access for the
various vlan, so I have to modiy hosts and interfaces files as wrote in
the last post and define all the zones of fw1 also on fw2, right?

thanks
Nicola

On Tue, 2004-12-07 at 08:46 +0100, Nicola Murino wrote:
> >> for example define one zone for eth4
> 
> >That''s what I would do, unless you have different requirements
for
> >internet access for the various VLANs.
> 
> Yes there are different requirements for the internet access for the
> various vlan, so I have to modiy hosts and interfaces files as wrote in
> the last post and define all the zones of fw1 also on fw2, right?
If you want to enforce that policy on fw2, yes. Note that you could also
enforce it on fw1.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key