Shorewall users - Apr 2005 - Shorewall in a Routed network

Hi,
 
        In a routed network environment, without the router , we want to use the
shorewall as the firewall/router. The ISP has assigned the following set of IP
addresses.
 
WAN IP for subnet 1 (DATA)
 
220.227.202.X/30 ( to be assigned to eth0 of the shorewall)
 
WAN IP for subnet 2 (Voice)

220.227.202.Y/30  ( to be assigned to eth1 of the shorewall)
 
Addresses assigned for Subnet 1 by the ISP
 
220.227.176.x/27 ( to be assigned to eth2 of the shorewall)
 
Addresses assigned for Subnet 2 by the ISP
 
220.227.201.y/28  ( to be assigned to eth3 of the shorewall)
 
 
The plan is to use a four interfaces shorewall without using the proxyarp . Do I
need any special configuration other than defining the zones for each interface?
 
We are currently using the shorewall with four interface in a proxyarp setup.
Basically we are planning to move from a non-routed to routed environment.
 
Any help is appreciated.
 
Thanks
 
Siva


This email contains Indscape Softech Pvt Ltd.''s confidential
information.
No confidentiality is waived or lost by any mistransmission. 
Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail
communications
through its network.

Sivamurugu K. Pillai wrote:
>  
> The plan is to use a four interfaces shorewall without using the proxyarp .
> Do I need any special configuration other than defining the zones for
> each interface?
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

	Thanks for the reply. 

	I have one query here. Assuming that the two external interfaces of the
shorewall box are connected to two different internet links ( two ISPs), how the
routing will take place to and from the appropriate internal interface out of
the two available internal interfaces. Since with proxyarp, we were defining
these in the proxyarp configuration file. Seeking your forgiveness if it is too
naive a question.

-Siva

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom
Eastep
Sent: Thursday, April 07, 2005 11:10 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Shorewall in a Routed network


Sivamurugu K. Pillai wrote:
>  
> The plan is to use a four interfaces shorewall without using the proxyarp .
> Do I need any special configuration other than defining the zones for
> each interface?
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


This email contains Indscape Softech Pvt Ltd.''s confidential
information.
No confidentiality is waived or lost by any mistransmission. 
Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail
communications
through its network.

PLEASE post in plain text and configure your mailer to fold lines at an 
appropriate length. Each of your paragraphs is one long line.

On Thu, 7 Apr 2005, Sivamurugu K. Pillai wrote:
> 	I have one query here. Assuming that the two external interfaces 
> 	of the shorewall box are connected to two different internet links 
> 	( two ISPs), how the routing will take place to and from the 
> 	appropriate internal interface out of the two available internal 
> 	interfaces. Since with proxyarp, we were defining these in the 
> 	proxyarp configuration file.
You will have to use policy routing (which has nothing to do with 
Shorewall -- see http://shorewall.net/Shorewall_and_Routing.html). Your 
best source of information is the LARTC Howto which is linked from the 
Shorewall "Useful Links" page. 

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom for the inputs. Had setup a four interface
shorewall(2.2.3)/firewall/router
with two ISP -feeds using source policy routing . If anyone is interested , 
please check the following details which made the setup work.

Routing
------------------------------------------------
Displaying the defined routing table1:

220.227.202.44/30 dev eth0  scope link 
220.227.176.0/27 dev eth2  scope link 
default via 220.227.202.45 dev eth0 

Displaying the defined routing table2:

220.227.202.40/30 dev eth1  scope link 
220.227.201.96/28 dev eth3  scope link 
default via 220.227.202.41 dev eth1 

Displaying the rules:

0:      from all lookup local 
500:    from 220.227.202.44/30 lookup 1 
600:    from 220.227.202.41/30 lookup 2 
32766:  from all lookup main 
32767:  from all lookup 253 

Displaying the Default Routing Table:

220.227.202.44/30  dev  eth0            scope  link
220.227.202.40/30  dev  eth1            scope  link
220.227.201.96/28  dev  eth3            scope  link
220.227.176.0/27   dev  eth2            scope  link
169.254.0.0/16     dev  eth3            scope  link
127.0.0.0/8        dev  lo              scope  link
default            via  220.227.202.46  dev    eth0
--------------------------------------------------------

Shorewall Configuration

#ZONE    INTERFACE      BROADCAST       OPTIONS

net      eth0           220.227.202.47
net      eth1           220.227.202.43
dmz0     eth2           220.227.176.31
dmz1     eth3           220.227.201.111

---------------------------------------------------------


-Siva


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom
Eastep
Sent: Thursday, April 07, 2005 11:36 PM
To: Mailing List for Shorewall Users
Subject: RE: [Shorewall-users] Shorewall in a Routed network


PLEASE post in plain text and configure your mailer to fold lines at an 
appropriate length. Each of your paragraphs is one long line.

On Thu, 7 Apr 2005, Sivamurugu K. Pillai wrote:
> 	I have one query here. Assuming that the two external interfaces 
> 	of the shorewall box are connected to two different internet links 
> 	( two ISPs), how the routing will take place to and from the 
> 	appropriate internal interface out of the two available internal 
> 	interfaces. Since with proxyarp, we were defining these in the 
> 	proxyarp configuration file.
You will have to use policy routing (which has nothing to do with 
Shorewall -- see http://shorewall.net/Shorewall_and_Routing.html). Your 
best source of information is the LARTC Howto which is linked from the 
Shorewall "Useful Links" page. 

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


This email contains Indscape Softech Pvt Ltd.''s confidential
information.
No confidentiality is waived or lost by any mistransmission. 
Indscape Softech Pvt Ltd.,reserves the right to monitor all e-mail
communications
through its network.