Hi, In a routed network environment, without the router , we want to use the shorewall as the firewall/router. The ISP has assigned the following set of IP addresses. WAN IP for subnet 1 (DATA) 220.227.202.X/30 ( to be assigned to eth0 of the shorewall) WAN IP for subnet 2 (Voice) 220.227.202.Y/30 ( to be assigned to eth1 of the shorewall) Addresses assigned for Subnet 1 by the ISP 220.227.176.x/27 ( to be assigned to eth2 of the shorewall) Addresses assigned for Subnet 2 by the ISP 220.227.201.y/28 ( to be assigned to eth3 of the shorewall) The plan is to use a four interfaces shorewall without using the proxyarp . Do I need any special configuration other than defining the zones for each interface? We are currently using the shorewall with four interface in a proxyarp setup. Basically we are planning to move from a non-routed to routed environment. Any help is appreciated. Thanks Siva This email contains Indscape Softech Pvt Ltd.''s confidential information. No confidentiality is waived or lost by any mistransmission. Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail communications through its network.
Sivamurugu K. Pillai wrote:> > The plan is to use a four interfaces shorewall without using the proxyarp . > Do I need any special configuration other than defining the zones for > each interface?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Thanks for the reply. I have one query here. Assuming that the two external interfaces of the shorewall box are connected to two different internet links ( two ISPs), how the routing will take place to and from the appropriate internal interface out of the two available internal interfaces. Since with proxyarp, we were defining these in the proxyarp configuration file. Seeking your forgiveness if it is too naive a question. -Siva -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: Thursday, April 07, 2005 11:10 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall in a Routed network Sivamurugu K. Pillai wrote:> > The plan is to use a four interfaces shorewall without using the proxyarp . > Do I need any special configuration other than defining the zones for > each interface?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm This email contains Indscape Softech Pvt Ltd.''s confidential information. No confidentiality is waived or lost by any mistransmission. Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail communications through its network.
PLEASE post in plain text and configure your mailer to fold lines at an appropriate length. Each of your paragraphs is one long line. On Thu, 7 Apr 2005, Sivamurugu K. Pillai wrote:> I have one query here. Assuming that the two external interfaces > of the shorewall box are connected to two different internet links > ( two ISPs), how the routing will take place to and from the > appropriate internal interface out of the two available internal > interfaces. Since with proxyarp, we were defining these in the > proxyarp configuration file.You will have to use policy routing (which has nothing to do with Shorewall -- see http://shorewall.net/Shorewall_and_Routing.html). Your best source of information is the LARTC Howto which is linked from the Shorewall "Useful Links" page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks Tom for the inputs. Had setup a four interface shorewall(2.2.3)/firewall/router with two ISP -feeds using source policy routing . If anyone is interested , please check the following details which made the setup work. Routing ------------------------------------------------ Displaying the defined routing table1: 220.227.202.44/30 dev eth0 scope link 220.227.176.0/27 dev eth2 scope link default via 220.227.202.45 dev eth0 Displaying the defined routing table2: 220.227.202.40/30 dev eth1 scope link 220.227.201.96/28 dev eth3 scope link default via 220.227.202.41 dev eth1 Displaying the rules: 0: from all lookup local 500: from 220.227.202.44/30 lookup 1 600: from 220.227.202.41/30 lookup 2 32766: from all lookup main 32767: from all lookup 253 Displaying the Default Routing Table: 220.227.202.44/30 dev eth0 scope link 220.227.202.40/30 dev eth1 scope link 220.227.201.96/28 dev eth3 scope link 220.227.176.0/27 dev eth2 scope link 169.254.0.0/16 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 220.227.202.46 dev eth0 -------------------------------------------------------- Shorewall Configuration #ZONE INTERFACE BROADCAST OPTIONS net eth0 220.227.202.47 net eth1 220.227.202.43 dmz0 eth2 220.227.176.31 dmz1 eth3 220.227.201.111 --------------------------------------------------------- -Siva -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: Thursday, April 07, 2005 11:36 PM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall in a Routed network PLEASE post in plain text and configure your mailer to fold lines at an appropriate length. Each of your paragraphs is one long line. On Thu, 7 Apr 2005, Sivamurugu K. Pillai wrote:> I have one query here. Assuming that the two external interfaces > of the shorewall box are connected to two different internet links > ( two ISPs), how the routing will take place to and from the > appropriate internal interface out of the two available internal > interfaces. Since with proxyarp, we were defining these in the > proxyarp configuration file.You will have to use policy routing (which has nothing to do with Shorewall -- see http://shorewall.net/Shorewall_and_Routing.html). Your best source of information is the LARTC Howto which is linked from the Shorewall "Useful Links" page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm This email contains Indscape Softech Pvt Ltd.''s confidential information. No confidentiality is waived or lost by any mistransmission. Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail communications through its network.