Hello Shorewall gurus, I have a dilemma with a public server. I want to migrate
the current public server over to a new machine behind the current
server''s firewall (shorewall 1.4). I have included a diagram below to
help explain the target network I am working toward. I have read the shorewall
online documentation and though I have used Shorewall the past 4 years in the
current configuration (see current network diagram) I cannot see what would be
the best solution: DNAT, NAT or ProxyARP. Currently, I access my server (and
Shorewall) using webmin. I am 9,000 miles from the public server so I must use
some type of remote Linux admin tool (hence webmin). I would like to configure
the new machine similarly to the current server (services, protocols, daemons,
applications, etc.). If I am successful I will eventually let the new machine
takeover from the current (old) machine and let the old
machine stick around as backup or failover. What would be the best
configuration to migra
te from the current network (see diagram) to the desired network (or similar):
DNAT, NAT or ProxyARP? And, thanks in advance.
The specifications on both machines follow:
current machine (old) - OS: rh7.2, shorewall: 1.4, two nics, two public IPs (one
is DNS).
new machine - OS: Mandrake 10.1, shorewall: 2.2, two nics.
<<<Current network>>>
NET ZONE (PUBLIC)
-----------------------------------------------------
|
|
|
eth0 (PUBLIC ROUTABLE IP)
----------------
| Linux Router | (SERVER: multple protocols)
----------------
192.168.1.1) eth1
-----
|
|
|
----------------
192.168.1.0/24 (masq/SNAT)
----------------
/ | \
/ | \
/ | \
/ | \
/ | \
/ | \
---------- ---------- ----------
192.168.1.2 192.168.1.3 192.168.1.4
<<<Desired network>>>
NET ZONE (PUBLIC)
-----------------------------------------------------
|
|
|
eth0 (PUBLIC ROUTABLE IP)
------------------------------------------------
| Linux Router (SERVER) |
------------------------------------------------
(192.168.1.1) eth1 eth1:0 (192.168.2.1)
----- ------
| |
| |
| |
---------------- ---------------- NAT
192.168.1.0/24 (masq/SNAT) 192.l68.2.0/24 DNAT
---------------- ---------------- ProxyARP
/ | \ | ?
/ | \ |
/ | \ |
/ | \ -----------
/ | \ 192.168.2.2 (SERVER)
/ | \ ----------- multiple
---------- ---------- ---------- protocols
192.168.1.2 192.168.1.3 192.168.1.4
hi: Buy a new NIC (usually cheap,on this case "eth2") and create a DMZ and follow the instructions on: http://www.shorewall.net/three-interface.htm bye. On Sat, 22 Jan 2005 11:33:19 +0000 (UTC), David W. Brown <dwbrown@webitplanet.com> wrote:> Hello Shorewall gurus, I have a dilemma with a public server. I want to migrate the current public server over to a new machine behind the current server''s firewall (shorewall 1.4). I have included a diagram below to help explain the target network I am working toward. I have read the shorewall online documentation and though I have used Shorewall the past 4 years in the current configuration (see current network diagram) I cannot see what would be the best solution: DNAT, NAT or ProxyARP. Currently, I access my server (and Shorewall) using webmin. I am 9,000 miles from the public server so I must use some type of remote Linux admin tool (hence webmin). I would like to configure the new machine similarly to the current server (services, protocols, daemons, applications, etc.). If I am successful I will eventually let the new machine takeover from the current (old) machine and let the old machine stick around as backup or failover. What would be the best configuration to mig ra> te from the current network (see diagram) to the desired network (or similar): DNAT, NAT or ProxyARP? And, thanks in advance. > > The specifications on both machines follow: > > current machine (old) - OS: rh7.2, shorewall: 1.4, two nics, two public IPs (one is DNS). > > new machine - OS: Mandrake 10.1, shorewall: 2.2, two nics. > > <<<Current network>>> > > NET ZONE (PUBLIC) > ----------------------------------------------------- > | > | > | > eth0 (PUBLIC ROUTABLE IP) > ---------------- > | Linux Router | (SERVER: multple protocols) > ---------------- > 192.168.1.1) eth1 > ----- > | > | > | > ---------------- > 192.168.1.0/24 (masq/SNAT) > ---------------- > / | \ > / | \ > / | \ > / | \ > / | \ > / | \ > ---------- ---------- ---------- > 192.168.1.2 192.168.1.3 192.168.1.4 > > <<<Desired network>>> > > NET ZONE (PUBLIC) > ----------------------------------------------------- > | > | > | > eth0 (PUBLIC ROUTABLE IP) > ------------------------------------------------ > | Linux Router (SERVER) | > ------------------------------------------------ > (192.168.1.1) eth1 eth1:0 (192.168.2.1) > ----- ------ > | | > | | > | | > ---------------- ---------------- NAT > 192.168.1.0/24 (masq/SNAT) 192.l68.2.0/24 DNAT > ---------------- ---------------- ProxyARP > / | \ | ? > / | \ | > / | \ | > / | \ ----------- > / | \ 192.168.2.2 (SERVER) > / | \ ----------- multiple > ---------- ---------- ---------- protocols > 192.168.1.2 192.168.1.3 192.168.1.4 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
David W. Brown wrote:> Hello Shorewall gurus, I have a dilemma with a public server. I want to migrate the current public server over to a new machine behind the current server''s firewall (shorewall 1.4). I have included a diagram below to help explain the target network I am working toward. I have read the shorewall online documentation and though I have used Shorewall the past 4 years in the current configuration (see current network diagram) I cannot see what would be the best solution: DNAT, NAT or ProxyARP. Currently, I access my server (and Shorewall) using webmin. I am 9,000 miles from the public server so I must use some type of remote Linux admin tool (hence webmin). I would like to configure the new machine similarly to the current server (services, protocols, daemons, applications, etc.). If I am successful I will eventually let the new machine takeover from the current (old) machine and let the old machine stick around as backup or failover. What would be the best configuration to mi grate from the current network (see diagram) to the desired network (or similar): DNAT, NAT or ProxyARP? And, thanks in advance.> > The specifications on both machines follow: > > current machine (old) - OS: rh7.2, shorewall: 1.4, two nics, two public IPs (one is DNS).What does "(one is DNS)" mean?> | > eth0 (PUBLIC ROUTABLE IP) > ---------------- > | Linux Router | (SERVER: multple protocols)I''m never comfortable when I see a box that is both a firewall/router AND a server. Router/firewalls are the boxes that you want to be bulletproof while, other than boxes running MS email clients, servers exposed to the internet are the most vulnerable to attack.> > NET ZONE (PUBLIC) > ----------------------------------------------------- > | > | > | > eth0 (PUBLIC ROUTABLE IP) > ------------------------------------------------ > | Linux Router (SERVER) | > ------------------------------------------------ > (192.168.1.1) eth1 eth1:0 (192.168.2.1) > ----- ------I agree with Cristian Rodriguez about using a separate NIC for the new server.> | | > | | > | | > ---------------- ---------------- NAT > 192.168.1.0/24 (masq/SNAT) 192.l68.2.0/24 DNAT > ---------------- ---------------- ProxyARP > / | \ | ?NAT and ProxyARP are only possible if you dedicate one of your two public IP addresses to the new box. In which case, I prefer ProxyARP (especially if the system is on it''s own LAN segment). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Tom, thanks for the clarifying and speedy reply. Sorry about the lack of clarity (again). The meaning of (One is DNS) is one of the two public IPs is dedicated to the dns server. I now see what I have to do. Thanks again, David Brown KBR - USMI IT/COMMO KIRKUK AB 281-669-1655x102 Tom Eastep wrote ..> David W. Brown wrote: > > Hello Shorewall gurus, I have a dilemma with a public server. I want > to migrate the current public server over to a new machine behind the current > server''s firewall (shorewall 1.4). I have included a diagram below to help > explain the target network I am working toward. I have read the shorewall > online documentation and though I have used Shorewall the past 4 years > in the current configuration (see current network diagram) I cannot see > what would be the best solution: DNAT, NAT or ProxyARP. Currently, I access > my server (and Shorewall) using webmin. I am 9,000 miles from the public > server so I must use some type of remote Linux admin tool (hence webmin). > I would like to configure the new machine similarly to the current server > (services, protocols, daemons, applications, etc.). If I am successful > I will eventually let the new machine takeover from the current (old) machine > and let the old machine stick around as backup or failover. What would > be the best configuration to mi > grate from the current network (see diagram) to the desired network (or > similar): DNAT, NAT or ProxyARP? And, thanks in advance. > > > > The specifications on both machines follow: > > > > current machine (old) - OS: rh7.2, shorewall: 1.4, two nics, two public > IPs (one is DNS). > > What does "(one is DNS)" mean? > > > > | > > eth0 (PUBLIC ROUTABLE IP) > > ---------------- > > | Linux Router | (SERVER: multple protocols) > > I''m never comfortable when I see a box that is both a firewall/router > AND a server. Router/firewalls are the boxes that you want to be > bulletproof while, other than boxes running MS email clients, servers > exposed to the internet are the most vulnerable to attack. > > > > > > NET ZONE (PUBLIC) > > ----------------------------------------------------- > > | > > | > > | > > eth0 (PUBLIC ROUTABLE IP) > > ------------------------------------------------ > > | Linux Router (SERVER) | > > ------------------------------------------------ > > (192.168.1.1) eth1 eth1:0 (192.168.2.1) > > ----- ------ > > I agree with Cristian Rodriguez about using a separate NIC for the new > server. > > | | > > | | > > | | > > ---------------- ---------------- > NAT > > 192.168.1.0/24 (masq/SNAT) 192.l68.2.0/24 > DNAT > > ---------------- ---------------- > ProxyARP > > / | \ | > ? > > NAT and ProxyARP are only possible if you dedicate one of your two > public IP addresses to the new box. In which case, I prefer ProxyARP > (especially if the system is on it''s own LAN segment). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm