I have used shorewall in the past and loved it. However, at the time it did not support brouting and because of that I had to remove it for a faster solution. Now that faster solution is failing and I want to go back to what I liked. I have never set up a brouter but I have been doing a lot of reading on it, both on your site and many others. I all cases what I see is a brouter/firewall connected to a router. The router being the ISP''s router and the brouter/firewall being the Linux box. The problem I have with this is that the ISP''s router is configured as the hosts (inside the firewall) default gateway. Does that not mean that if the router is compromised then someone could watch all the traffic hitting it because it is the default route? Another problem I have is that in the current network design the firewall (the inside address 192.168.1.254) is the default gateway. If I were to make the ISP''s router the default gateway I would have to change the network setup on every machine. Not to mention the problem where the address given me by my ISP is a DHCP address. Can shorewall handle this? And how. Am I not understanding something in the brouter/firewall configuration? I would like to understand the best way to design this before trying (and probably failing) to set this up. Thanks, Louis ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Louis Bohm Systems Administration (Linux, Unix, Windows, Networking) Email:~ louis_bohm@yahoo.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail
On Tuesday 24 May 2005 06:26 pm, Louis Bohm wrote:> > The problem I have with this is that the ISP''s router > is configured as the hosts (inside the firewall) > default gateway.If that''s a problem, why go to a bridging router?> Does that not mean that if the > router is compromised then someone could watch all the > traffic hitting it because it is the default route?If someone compromises a router, theoretically they could watch all traffic passing thru it. This is true if the router belongs to you, your ISP, or your ISP''s upstream provider. That''s life on the internet.> Another problem I have is that in the current network > design the firewall (the inside address 192.168.1.254) > is the default gateway.Yes, thats quite normal.....> If I were to make the ISP''s > router the default gateway I would have to change the > network setup on every machine. Not to mention the > problem where the address given me by my ISP is a DHCP > address.Why is this a problem? Are you saying you have manually assigned all the IPs? Normally you set up your inside-the-firewall machines to obtain an IP via dhcp, and obtain an IP from some machine on your network, perhaps your shorewall machine itself. If you switch a bridge router, you still operate the same way, but the IP and default route will come from the ISP''s dhcp server. One has to ask why you want a bridge router? Wouldn''t it be easer to use the traditional model, - which sounds like what you already have?? -- John Andersen - NORCOM http://www.norcomsoftware.com/