Poh Yong Hwang \(ReadySpace\)
2005-May-31 12:25 UTC
Can shorewall be setup in a datacenter environment?
Hi, New here... I would like to setup shorewall on a dedicated box protecting a mutiple web, mail and dns server in the datacenter. All the ip address will be public ip (No LAN setup). I would also like to do traffic shaping and install Snort as well in the same box. Can Shorewall do all this? Is there any docs on that? Do i need to configure Shorewall as a bridging firewall in order to do that... Sorry for such a newbie questions.. Kindly clear my doubts.. Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, DNS Servers... Regards Poh Yong Hwang ................................................................ ReadySpace Network Pte Ltd 60 Kaki Bukit Place Eunos Techpark #02-07 Singapore 415979 ................................................................ Sales 6848 6911 Fax 6848 6922 Support 6848 4464 Hp 9740 7822 <http://www.readyspace.com/logos/spacer.gif> <http://www.readyspace.com/logos/navy.jpg> More than just hosting ... http://www.readyspace.com <http://www.readyspace.com/> Information in this message is confidential. It is intended solely for the person or the entity to whom it is addressed. If you are not the intended recipient, you are not to disseminate, distribute or copy this communication. Please notify the sender and delete the message and any other record of it from your system immediately.
Alexander Wilms
2005-May-31 12:39 UTC
Re: Can shorewall be setup in a datacenter environment?
Poh Yong Hwang (ReadySpace) wrote:> > > >Hi, > >New here... I would like to setup shorewall on a dedicated box protecting a >mutiple web, mail and dns server in the datacenter. All the ip address will >be public ip (No LAN setup). I would also like to do traffic shaping and >install Snort as well in the same box. > >Yes you can. The only limitation would be the amount of rules/blacklists versus network traffic load. Are we talking about GBIT/s traffic? Below gigabit traffic it won''t expect any performance issues.> >Can Shorewall do all this? Is there any docs on that? Do i need to configure >Shorewall as a bridging firewall in order to do that... > >You can use bridging (between a border router and the switch), but it''s not a must. Please read the quick start guide and Proxy Arp docs. Proxy Arp would be another approach. http://www.shorewall.net/shorewall_quickstart_guide.htm http://www.shorewall.net/ProxyARP.htm http://www.shorewall.net/Documentation.htm#ProxyArp HTH, Alex> >Sorry for such a newbie questions.. Kindly clear my doubts.. > > >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, DNS >Servers... > > >Regards > > >Poh Yong Hwang > >................................................................ >ReadySpace Network Pte Ltd >60 Kaki Bukit Place Eunos Techpark >#02-07 Singapore 415979 >................................................................ > >Sales 6848 6911 Fax 6848 6922 >Support 6848 4464 Hp 9740 7822 > <http://www.readyspace.com/logos/spacer.gif> ><http://www.readyspace.com/logos/navy.jpg> >More than just hosting ... >http://www.readyspace.com <http://www.readyspace.com/> > > >Information in this message is confidential. It is intended solely for the >person or the entity to whom it is addressed. If you are not the intended >recipient, you are not to disseminate, distribute or copy this >communication. Please notify the sender and delete the message and any other >record of it from your system immediately. > > > > >------------------------------------------------------------------------ > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
Tristan DEFERT
2005-May-31 12:47 UTC
Re: Can shorewall be setup in a datacenter environment?
yes; shorewall can do that we use such a setup: Public Class C bridged with shorewall (for server) and one other zone NATed with firewall (for employees) everything works like a charm even on an old PC (128MB / PII@400MHz) with a bandwidth of 4Mbits/s we also use VPN on the firewall (openvpn) snort, and traffic shaping. and we plan to install a second firewall (backup fw) for redondancy so the answer is YES IT WORKS Le mardi 31 mai 2005 à 20:25 +0800, Poh Yong Hwang (ReadySpace) a écrit :> > > Hi, > > New here... I would like to setup shorewall on a dedicated box protecting a > mutiple web, mail and dns server in the datacenter. All the ip address will > be public ip (No LAN setup). I would also like to do traffic shaping and > install Snort as well in the same box. > > Can Shorewall do all this? Is there any docs on that? Do i need to configure > Shorewall as a bridging firewall in order to do that... > > Sorry for such a newbie questions.. Kindly clear my doubts.. > > > Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, DNS > Servers... > > > Regards > > > Poh Yong Hwang > > ................................................................ > ReadySpace Network Pte Ltd > 60 Kaki Bukit Place Eunos Techpark > #02-07 Singapore 415979 > ................................................................ > > Sales 6848 6911 Fax 6848 6922 > Support 6848 4464 Hp 9740 7822 > <http://www.readyspace.com/logos/spacer.gif> > <http://www.readyspace.com/logos/navy.jpg> > More than just hosting ... > http://www.readyspace.com <http://www.readyspace.com/> > > > Information in this message is confidential. It is intended solely for the > person or the entity to whom it is addressed. If you are not the intended > recipient, you are not to disseminate, distribute or copy this > communication. Please notify the sender and delete the message and any other > record of it from your system immediately. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Thibodeau, Jamie L.
2005-May-31 12:53 UTC
RE: Can shorewall be setup in a datacenter environment?
It is possible to run shorewall and snort on the same box and it is even possible to run snort in inline mode on top of shorewall. Tom added support for a QUEUE action in the rules so that you can QUEUE traffice into the user space where snort running inline can see the traffic. WARNING!!! Snort inline is not documented well so it can be a bear to setup right the first couple of times, also if you want snort to work inline as an IPS then you must fix the rules to be drop rules instead of alert rules. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Poh Yong Hwang (ReadySpace) Sent: Tuesday, May 31, 2005 7:25 AM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Can shorewall be setup in a datacenter environment? Hi, New here... I would like to setup shorewall on a dedicated box protecting a mutiple web, mail and dns server in the datacenter. All the ip address will be public ip (No LAN setup). I would also like to do traffic shaping and install Snort as well in the same box. Can Shorewall do all this? Is there any docs on that? Do i need to configure Shorewall as a bridging firewall in order to do that... Sorry for such a newbie questions.. Kindly clear my doubts.. Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, DNS Servers... Regards Poh Yong Hwang ................................................................ ReadySpace Network Pte Ltd 60 Kaki Bukit Place Eunos Techpark #02-07 Singapore 415979 ................................................................ Sales 6848 6911 Fax 6848 6922 Support 6848 4464 Hp 9740 7822 <http://www.readyspace.com/logos/spacer.gif> <http://www.readyspace.com/logos/navy.jpg> More than just hosting ... http://www.readyspace.com <http://www.readyspace.com/> Information in this message is confidential. It is intended solely for the person or the entity to whom it is addressed. If you are not the intended recipient, you are not to disseminate, distribute or copy this communication. Please notify the sender and delete the message and any other record of it from your system immediately.
Steve Lawrence
2005-May-31 12:56 UTC
RE: Can shorewall be setup in adatacenter environment?
Hmm... Gb of traffic not a problem. I have a Celeron 500 with 512 megs of ram and it easily handles 180 GB/Month and has about 50 rules in the rules file and routes about 60 IP''s using ARP. How many gb are you talking? Rules? Steve. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: Tuesday, May 31, 2005 6:39 AM To: poh@readyspace.com.sg; Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Can shorewall be setup in adatacenter environment? Poh Yong Hwang (ReadySpace) wrote:> > > >Hi, > >New here... I would like to setup shorewall on a dedicated boxprotecting a>mutiple web, mail and dns server in the datacenter. All the ip addresswill>be public ip (No LAN setup). I would also like to do traffic shapingand>install Snort as well in the same box. > >Yes you can. The only limitation would be the amount of rules/blacklists versus network traffic load. Are we talking about GBIT/s traffic? Below gigabit traffic it won''t expect any performance issues.> >Can Shorewall do all this? Is there any docs on that? Do i need toconfigure>Shorewall as a bridging firewall in order to do that... > >You can use bridging (between a border router and the switch), but it''s not a must. Please read the quick start guide and Proxy Arp docs. Proxy Arp would be another approach. http://www.shorewall.net/shorewall_quickstart_guide.htm http://www.shorewall.net/ProxyARP.htm http://www.shorewall.net/Documentation.htm#ProxyArp HTH, Alex> >Sorry for such a newbie questions.. Kindly clear my doubts.. > > >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server,DNS>Servers... > > >Regards > > >Poh Yong Hwang > >................................................................ >ReadySpace Network Pte Ltd >60 Kaki Bukit Place Eunos Techpark >#02-07 Singapore 415979 >................................................................ > >Sales 6848 6911 Fax 6848 6922 >Support 6848 4464 Hp 9740 7822 > <http://www.readyspace.com/logos/spacer.gif> ><http://www.readyspace.com/logos/navy.jpg> >More than just hosting ... >http://www.readyspace.com <http://www.readyspace.com/> > > >Information in this message is confidential. It is intended solely forthe>person or the entity to whom it is addressed. If you are not theintended>recipient, you are not to disseminate, distribute or copy this >communication. Please notify the sender and delete the message and anyother>record of it from your system immediately. > > > > >------------------------------------------------------------------------> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users>Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005
Hello, If you talkin about if you can rely on it or not from security prespective, yes you can if you are talkin about amount of traffic /Second , the only limit is the speed of your PCI NIC I Calculated it before counting on 66 MHz PCI card (bus speed), and it was ok for 1 Gigabit NIC , not only 10/100 NIC so, Go and enjoy for the snort, Issue , I have it as a network IDS, and im configuring it without IP I do not like to put all my eggs in one basket but if you want you can do it, it all depends on you Kind Regards Samer>From: "Steve Lawrence" <steve@nexiaweb.com> >Reply-To: Mailing List for Shorewall >Users<shorewall-users@lists.shorewall.net> >To: "''Mailing List for Shorewall Users''" ><shorewall-users@lists.shorewall.net> >Subject: RE: [Shorewall-users] Can shorewall be setup >inadatacenter environment? >Date: Tue, 31 May 2005 06:56:49 -0600 > >Hmm... Gb of traffic not a problem. I have a Celeron 500 with 512 megs >of ram and it easily handles 180 GB/Month and has about 50 rules in the >rules file and routes about 60 IP''s using ARP. > >How many gb are you talking? Rules? > >Steve. > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of >Alexander Wilms >Sent: Tuesday, May 31, 2005 6:39 AM >To: poh@readyspace.com.sg; Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Can shorewall be setup in adatacenter >environment? > > > > >Poh Yong Hwang (ReadySpace) wrote: > > > > > > > > >Hi, > > > >New here... I would like to setup shorewall on a dedicated box >protecting a > >mutiple web, mail and dns server in the datacenter. All the ip address >will > >be public ip (No LAN setup). I would also like to do traffic shaping >and > >install Snort as well in the same box. > > > > >Yes you can. The only limitation would be the amount of rules/blacklists > >versus network traffic load. Are we talking about GBIT/s traffic? Below >gigabit traffic it won''t expect any performance issues. > > > > > >Can Shorewall do all this? Is there any docs on that? Do i need to >configure > >Shorewall as a bridging firewall in order to do that... > > > > >You can use bridging (between a border router and the switch), but it''s >not a must. Please read the quick start guide and Proxy Arp docs. Proxy >Arp would be another approach. > >http://www.shorewall.net/shorewall_quickstart_guide.htm >http://www.shorewall.net/ProxyARP.htm >http://www.shorewall.net/Documentation.htm#ProxyArp > >HTH, >Alex > > > > >Sorry for such a newbie questions.. Kindly clear my doubts.. > > > > > >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, >DNS > >Servers... > > > > > >Regards > > > > > >Poh Yong Hwang > > > >................................................................ > >ReadySpace Network Pte Ltd > >60 Kaki Bukit Place Eunos Techpark > >#02-07 Singapore 415979 > >................................................................ > > > >Sales 6848 6911 Fax 6848 6922 > >Support 6848 4464 Hp 9740 7822 > > <http://www.readyspace.com/logos/spacer.gif> > ><http://www.readyspace.com/logos/navy.jpg> > >More than just hosting ... > >http://www.readyspace.com <http://www.readyspace.com/> > > > > > >Information in this message is confidential. It is intended solely for >the > >person or the entity to whom it is addressed. If you are not the >intended > >recipient, you are not to disseminate, distribute or copy this > >communication. Please notify the sender and delete the message and any >other > >record of it from your system immediately. > > > > > > > > > >----------------------------------------------------------------------- >- > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users > >Support: http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 > > >-- >No virus found in this outgoing message. >Checked by AVG Anti-Virus. >Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
poh@readyspace.com.sg
2005-May-31 14:17 UTC
RE: Can shorewall be setup inadatacenter environment?
Hi, Thanks alot of all your inputs. I have look at the ProxyARP doc what worrys me is the ISP router arp cache taking hours to refresh... Anyway, I need to read further the docs before i decide on anything... What kind of setup are you guys having? Especially those with the same requirements as me? Care to share? Thanks Poh Yong Hwang> > Hello, > > If you talkin about if you can rely on it or not from security > prespective, > yes you can > > if you are talkin about amount of traffic /Second , the only limit is the > speed of your PCI NIC > I Calculated it before counting on 66 MHz PCI card (bus speed), and it was > ok for 1 Gigabit NIC , not only 10/100 NIC > > so, Go and enjoy > > for the snort, Issue , I have it as a network IDS, and im configuring it > without IP > > I do not like to put all my eggs in one basket > > but if you want you can do it, it all depends on you > > Kind Regards > Samer >>From: "Steve Lawrence" <steve@nexiaweb.com> >>Reply-To: Mailing List for Shorewall >>Users<shorewall-users@lists.shorewall.net> >>To: "''Mailing List for Shorewall Users''" >><shorewall-users@lists.shorewall.net> >>Subject: RE: [Shorewall-users] Can shorewall be setup >>inadatacenter environment? >>Date: Tue, 31 May 2005 06:56:49 -0600 >> >>Hmm... Gb of traffic not a problem. I have a Celeron 500 with 512 megs >>of ram and it easily handles 180 GB/Month and has about 50 rules in the >>rules file and routes about 60 IP''s using ARP. >> >>How many gb are you talking? Rules? >> >>Steve. >> >>-----Original Message----- >>From: shorewall-users-bounces@lists.shorewall.net >>[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of >>Alexander Wilms >>Sent: Tuesday, May 31, 2005 6:39 AM >>To: poh@readyspace.com.sg; Mailing List for Shorewall Users >>Subject: Re: [Shorewall-users] Can shorewall be setup in adatacenter >>environment? >> >> >> >> >>Poh Yong Hwang (ReadySpace) wrote: >> >> > >> > >> > >> >Hi, >> > >> >New here... I would like to setup shorewall on a dedicated box >>protecting a >> >mutiple web, mail and dns server in the datacenter. All the ip address >>will >> >be public ip (No LAN setup). I would also like to do traffic shaping >>and >> >install Snort as well in the same box. >> > >> > >>Yes you can. The only limitation would be the amount of rules/blacklists >> >>versus network traffic load. Are we talking about GBIT/s traffic? Below >>gigabit traffic it won''t expect any performance issues. >> >> >> > >> >Can Shorewall do all this? Is there any docs on that? Do i need to >>configure >> >Shorewall as a bridging firewall in order to do that... >> > >> > >>You can use bridging (between a border router and the switch), but it''s >>not a must. Please read the quick start guide and Proxy Arp docs. Proxy >>Arp would be another approach. >> >>http://www.shorewall.net/shorewall_quickstart_guide.htm >>http://www.shorewall.net/ProxyARP.htm >>http://www.shorewall.net/Documentation.htm#ProxyArp >> >>HTH, >>Alex >> >> > >> >Sorry for such a newbie questions.. Kindly clear my doubts.. >> > >> > >> >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, >>DNS >> >Servers... >> > >> > >> >Regards >> > >> > >> >Poh Yong Hwang >> > >> >................................................................ >> >ReadySpace Network Pte Ltd >> >60 Kaki Bukit Place Eunos Techpark >> >#02-07 Singapore 415979 >> >................................................................ >> > >> >Sales 6848 6911 Fax 6848 6922 >> >Support 6848 4464 Hp 9740 7822 >> > <http://www.readyspace.com/logos/spacer.gif> >> ><http://www.readyspace.com/logos/navy.jpg> >> >More than just hosting ... >> >http://www.readyspace.com <http://www.readyspace.com/> >> > >> > >> >Information in this message is confidential. It is intended solely for >>the >> >person or the entity to whom it is addressed. If you are not the >>intended >> >recipient, you are not to disseminate, distribute or copy this >> >communication. Please notify the sender and delete the message and any >>other >> >record of it from your system immediately. >> > >> > >> > >> > >> >----------------------------------------------------------------------- >>- >> > >> >_______________________________________________ >> >Shorewall-users mailing list >> >Post: Shorewall-users@lists.shorewall.net >> >Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >> >Support: http://www.shorewall.net/support.htm >> >FAQ: http://www.shorewall.net/FAQ.htm >> > >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >>-- >>No virus found in this incoming message. >>Checked by AVG Anti-Virus. >>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >> >> >>-- >>No virus found in this outgoing message. >>Checked by AVG Anti-Virus. >>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >> >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar - get it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Steve Lawrence
2005-May-31 14:28 UTC
RE: Can shorewall be setup inadatacenter environment?
ISP > Dedicated Shorewall > Switch > Servers. I plan to install Snort on a separate box from the firewall. Not sure what you mean by isp router cache, I installed the firewall and arp took place as soon as shorewall came up. Looked at your web site, your environment much the same as mine. Shorewall was very easy to set up for this. Steve. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of poh@readyspace.com.sg Sent: Tuesday, May 31, 2005 8:18 AM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Can shorewall be setup inadatacenter environment? Hi, Thanks alot of all your inputs. I have look at the ProxyARP doc what worrys me is the ISP router arp cache taking hours to refresh... Anyway, I need to read further the docs before i decide on anything... What kind of setup are you guys having? Especially those with the same requirements as me? Care to share? Thanks Poh Yong Hwang -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005
Hello Poh Young. My two cents: We have a Cisco router from our ISP. The first server I moved behind shorewall with Proxy arp to about 4-5 hours before it worked. I got no positive response with the arp-command suggestions. The second server I moved into a proxy arp configuration worked much better. On this try I used what we in Norway call the Swedish button :-) and turned the power off and on again. The arp cache was flushed. So, I would try to power off and on all equipment supplied from your ISP at you location. /Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of poh@readyspace.com.sg Sent: 31. mai 2005 16:18 To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Can shorewall be setup inadatacenter environment? Hi, Thanks alot of all your inputs. I have look at the ProxyARP doc what worrys me is the ISP router arp cache taking hours to refresh... Anyway, I need to read further the docs before i decide on anything... What kind of setup are you guys having? Especially those with the same requirements as me? Care to share? Thanks Poh Yong Hwang> > Hello, > > If you talkin about if you can rely on it or not from security > prespective, > yes you can > > if you are talkin about amount of traffic /Second , the only limit is the > speed of your PCI NIC > I Calculated it before counting on 66 MHz PCI card (bus speed), and it was > ok for 1 Gigabit NIC , not only 10/100 NIC > > so, Go and enjoy > > for the snort, Issue , I have it as a network IDS, and im configuring it > without IP > > I do not like to put all my eggs in one basket > > but if you want you can do it, it all depends on you > > Kind Regards > Samer >>From: "Steve Lawrence" <steve@nexiaweb.com> >>Reply-To: Mailing List for Shorewall >>Users<shorewall-users@lists.shorewall.net> >>To: "''Mailing List for Shorewall Users''" >><shorewall-users@lists.shorewall.net> >>Subject: RE: [Shorewall-users] Can shorewall be setup >>inadatacenter environment? >>Date: Tue, 31 May 2005 06:56:49 -0600 >> >>Hmm... Gb of traffic not a problem. I have a Celeron 500 with 512 megs >>of ram and it easily handles 180 GB/Month and has about 50 rules in the >>rules file and routes about 60 IP''s using ARP. >> >>How many gb are you talking? Rules? >> >>Steve. >> >>-----Original Message----- >>From: shorewall-users-bounces@lists.shorewall.net >>[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of >>Alexander Wilms >>Sent: Tuesday, May 31, 2005 6:39 AM >>To: poh@readyspace.com.sg; Mailing List for Shorewall Users >>Subject: Re: [Shorewall-users] Can shorewall be setup in adatacenter >>environment? >> >> >> >> >>Poh Yong Hwang (ReadySpace) wrote: >> >> > >> > >> > >> >Hi, >> > >> >New here... I would like to setup shorewall on a dedicated box >>protecting a >> >mutiple web, mail and dns server in the datacenter. All the ip address >>will >> >be public ip (No LAN setup). I would also like to do traffic shaping >>and >> >install Snort as well in the same box. >> > >> > >>Yes you can. The only limitation would be the amount of rules/blacklists >> >>versus network traffic load. Are we talking about GBIT/s traffic? Below >>gigabit traffic it won''t expect any performance issues. >> >> >> > >> >Can Shorewall do all this? Is there any docs on that? Do i need to >>configure >> >Shorewall as a bridging firewall in order to do that... >> > >> > >>You can use bridging (between a border router and the switch), but it''s >>not a must. Please read the quick start guide and Proxy Arp docs. Proxy >>Arp would be another approach. >> >>http://www.shorewall.net/shorewall_quickstart_guide.htm >>http://www.shorewall.net/ProxyARP.htm >>http://www.shorewall.net/Documentation.htm#ProxyArp >> >>HTH, >>Alex >> >> > >> >Sorry for such a newbie questions.. Kindly clear my doubts.. >> > >> > >> >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, >>DNS >> >Servers... >> > >> > >> >Regards >> > >> > >> >Poh Yong Hwang >> > >> >................................................................ >> >ReadySpace Network Pte Ltd >> >60 Kaki Bukit Place Eunos Techpark >> >#02-07 Singapore 415979 >> >................................................................ >> > >> >Sales 6848 6911 Fax 6848 6922 >> >Support 6848 4464 Hp 9740 7822 >> > <http://www.readyspace.com/logos/spacer.gif> >> ><http://www.readyspace.com/logos/navy.jpg> >> >More than just hosting ... >> >http://www.readyspace.com <http://www.readyspace.com/> >> > >> > >> >Information in this message is confidential. It is intended solely for >>the >> >person or the entity to whom it is addressed. If you are not the >>intended >> >recipient, you are not to disseminate, distribute or copy this >> >communication. Please notify the sender and delete the message and any >>other >> >record of it from your system immediately. >> > >> > >> > >> > >> >----------------------------------------------------------------------- >>- >> > >> >_______________________________________________ >> >Shorewall-users mailing list >> >Post: Shorewall-users@lists.shorewall.net >> >Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >> >Support: http://www.shorewall.net/support.htm >> >FAQ: http://www.shorewall.net/FAQ.htm >> > >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >>-- >>No virus found in this incoming message. >>Checked by AVG Anti-Virus. >>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >> >> >>-- >>No virus found in this outgoing message. >>Checked by AVG Anti-Virus. >>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >> >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar - get it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
> Hello Poh Young. > > My two cents: > > We have a Cisco router from our ISP. > The first server I moved behind shorewall with Proxy arp to about 4-5 > hours > before it worked. > I got no positive response with the arp-command suggestions. > > The second server I moved into a proxy arp configuration worked much > better. > On this try I used what we in Norway call the Swedish button :-) and > turned > the power off and on again. > The arp cache was flushed. > > So, I would try to power off and on all equipment supplied from your ISP > at > you location.Switching power is not always possible depending on your SLA... What has worked for me with Cisco routers is pinging from the server in question through the router to a host in the internet. This has worked for me when doing MAC adress changes on a server. Simon> > /Kristian. > > > > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of > poh@readyspace.com.sg > Sent: 31. mai 2005 16:18 > To: Mailing List for Shorewall Users > Subject: RE: [Shorewall-users] Can shorewall be setup inadatacenter > environment? > > Hi, > > Thanks alot of all your inputs. I have look at the ProxyARP doc what > worrys me is the ISP router arp cache taking hours to refresh... > > Anyway, I need to read further the docs before i decide on anything... > What kind of setup are you guys having? Especially those with the same > requirements as me? Care to share? > > Thanks > Poh Yong Hwang >> >> Hello, >> >> If you talkin about if you can rely on it or not from security >> prespective, >> yes you can >> >> if you are talkin about amount of traffic /Second , the only limit is >> the >> speed of your PCI NIC >> I Calculated it before counting on 66 MHz PCI card (bus speed), and it >> was >> ok for 1 Gigabit NIC , not only 10/100 NIC >> >> so, Go and enjoy >> >> for the snort, Issue , I have it as a network IDS, and im configuring it >> without IP >> >> I do not like to put all my eggs in one basket >> >> but if you want you can do it, it all depends on you >> >> Kind Regards >> Samer >>>From: "Steve Lawrence" <steve@nexiaweb.com> >>>Reply-To: Mailing List for Shorewall >>>Users<shorewall-users@lists.shorewall.net> >>>To: "''Mailing List for Shorewall Users''" >>><shorewall-users@lists.shorewall.net> >>>Subject: RE: [Shorewall-users] Can shorewall be setup >>>inadatacenter environment? >>>Date: Tue, 31 May 2005 06:56:49 -0600 >>> >>>Hmm... Gb of traffic not a problem. I have a Celeron 500 with 512 megs >>>of ram and it easily handles 180 GB/Month and has about 50 rules in the >>>rules file and routes about 60 IP''s using ARP. >>> >>>How many gb are you talking? Rules? >>> >>>Steve. >>> >>>-----Original Message----- >>>From: shorewall-users-bounces@lists.shorewall.net >>>[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of >>>Alexander Wilms >>>Sent: Tuesday, May 31, 2005 6:39 AM >>>To: poh@readyspace.com.sg; Mailing List for Shorewall Users >>>Subject: Re: [Shorewall-users] Can shorewall be setup in adatacenter >>>environment? >>> >>> >>> >>> >>>Poh Yong Hwang (ReadySpace) wrote: >>> >>> > >>> > >>> > >>> >Hi, >>> > >>> >New here... I would like to setup shorewall on a dedicated box >>>protecting a >>> >mutiple web, mail and dns server in the datacenter. All the ip address >>>will >>> >be public ip (No LAN setup). I would also like to do traffic shaping >>>and >>> >install Snort as well in the same box. >>> > >>> > >>>Yes you can. The only limitation would be the amount of rules/blacklists >>> >>>versus network traffic load. Are we talking about GBIT/s traffic? Below >>>gigabit traffic it won''t expect any performance issues. >>> >>> >>> > >>> >Can Shorewall do all this? Is there any docs on that? Do i need to >>>configure >>> >Shorewall as a bridging firewall in order to do that... >>> > >>> > >>>You can use bridging (between a border router and the switch), but it''s >>>not a must. Please read the quick start guide and Proxy Arp docs. Proxy >>>Arp would be another approach. >>> >>>http://www.shorewall.net/shorewall_quickstart_guide.htm >>>http://www.shorewall.net/ProxyARP.htm >>>http://www.shorewall.net/Documentation.htm#ProxyArp >>> >>>HTH, >>>Alex >>> >>> > >>> >Sorry for such a newbie questions.. Kindly clear my doubts.. >>> > >>> > >>> >Internet -> Shorewall Firewall -> Switch -> Web Server, Mail Server, >>>DNS >>> >Servers... >>> > >>> > >>> >Regards >>> > >>> > >>> >Poh Yong Hwang >>> > >>> >................................................................ >>> >ReadySpace Network Pte Ltd >>> >60 Kaki Bukit Place Eunos Techpark >>> >#02-07 Singapore 415979 >>> >................................................................ >>> > >>> >Sales 6848 6911 Fax 6848 6922 >>> >Support 6848 4464 Hp 9740 7822 >>> > <http://www.readyspace.com/logos/spacer.gif> >>> ><http://www.readyspace.com/logos/navy.jpg> >>> >More than just hosting ... >>> >http://www.readyspace.com <http://www.readyspace.com/> >>> > >>> > >>> >Information in this message is confidential. It is intended solely for >>>the >>> >person or the entity to whom it is addressed. If you are not the >>>intended >>> >recipient, you are not to disseminate, distribute or copy this >>> >communication. Please notify the sender and delete the message and any >>>other >>> >record of it from your system immediately. >>> > >>> > >>> > >>> > >>> >----------------------------------------------------------------------- >>>- >>> > >>> >_______________________________________________ >>> >Shorewall-users mailing list >>> >Post: Shorewall-users@lists.shorewall.net >>> >Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> >Support: http://www.shorewall.net/support.htm >>> >FAQ: http://www.shorewall.net/FAQ.htm >>> > >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>Support: http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >>> >>>-- >>>No virus found in this incoming message. >>>Checked by AVG Anti-Virus. >>>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >>> >>> >>>-- >>>No virus found in this outgoing message. >>>Checked by AVG Anti-Virus. >>>Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 >>> >>> >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>Support: http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >> >> _________________________________________________________________ >> FREE pop-up blocking with the new MSN Toolbar - get it now! >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >