Hi all, I have a client that has 4 subnets within his building, internet, office, business center and wireless. My plan is to use Shorewall but I have never tested it with more than 2 interfaces. Is this possible? Would there be any issues that might arise. Each subnet would have access to the internet but there will be no communications allowed between the others. Thanks in advance....
Bryan K. Staggs wrote:>Hi all, > > > >I have a client that has 4 subnets within his building, internet, >office, business center and wireless. My plan is to use Shorewall but I >have never tested it with more than 2 interfaces. Is this possible? >Would there be any issues that might arise. Each subnet would have >access to the internet but there will be no communications allowed >between the others. > >AFAIK the are no limitations on the number of interfaces in shorewall. Just use the three interface examples and expand them to your needs. Peter
Hello, For you info, On 10-Jun-2005 18:36, Peter Eis wrote:> Bryan K. Staggs wrote: > >> Hi all, >> >> I have a client that has 4 subnets within his building, internet, >> office, business center and wireless. My plan is to use Shorewall but I >> have never tested it with more than 2 interfaces. Is this possible? >> Would there be any issues that might arise. Each subnet would have >> access to the internet but there will be no communications allowed >> between the others. >> >> > AFAIK the are no limitations on the number of interfaces in shorewall. > Just use the three interface examples and expand them to your needs.Running Shorewall here with 2 physical ethernets configured for bonding, with 4 vlans and 1 pptp, and 4 tun interfaces. (in shorewall as: 9 interfaces) With 7 normal zones and 2 dynamic (sub)zones. So you have some room to grow ;-) -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Bryan K. Staggs wrote:> Hi all, > > > > I have a client that has 4 subnets within his building, internet, > office, business center and wireless. My plan is to use Shorewall but I > have never tested it with more than 2 interfaces. Is this possible? > Would there be any issues that might arise. Each subnet would have > access to the internet but there will be no communications allowed > between the others.It is doable. I have two shorewall firewalls connecting to four zones. Eash has an Internet conectin, an "internal" newoork, and two DMZ''s. The bigest hassle was mapping which physical port corresponds to which logical port. (Hint: ethtool is your friend :-) -- Stephen Carville <stephen@totalflood.com> Unix and Network Admin Nationwide Totalflood 6033 W. Century Blvd Los Angeles, CA 90045 310-342-3602
Bryan K. Staggs wrote:>have never tested it with more than 2 interfaces. Is this possible? >Would there be any issues that might arise. Each subnet would have >access to the internet but there will be no communications allowed >between the others. > >I run a pair of Shorewall machines, each of which has 6 interfaces (1 x 802.11, 5 x 802.3), plus an OpenVPN subnet. It works pretty well. The only challenging part is crafting the "rules" and "policy" files, which can get large quickly if you want to have any kind of interesting behaviors. I went through several revisions of my "rules" file before I got the right set of behaviors (which are pretty complex, I''ll admit). I''d really recommend that you put together a development machine and test your configurations. Having a live system to work with sped things up a LOT for me. -Ryan
Hi Stijn, I think it could be very educational to take a look to your configuration files... :) Regards, Urivan A. Flores Saaib Stijn Jonker wrote:> Running Shorewall here with 2 physical ethernets configured for bonding, > with 4 vlans and 1 pptp, and 4 tun interfaces. (in shorewall as: 9 > interfaces) > > With 7 normal zones and 2 dynamic (sub)zones. So you have some room to > grow ;-) >
Hi, I have a question about the functionality and usability of Shorewall as a firewall for my situation. I am the Network Administrator for an ISP, and we don''t have a very large network, just a complex one. But the biggest concern is the amount of infected dial-up users we have, and they''re constant attacks that they unleash on each other and on the internet as a whole. I was told by the owner that we need to find a way to stop the complaints from other ISP''s about our customers attacking them. I am confident that I have enough knowledge about shorewall''s configuration to isolate the dial up customers (since they are all on one subnet) easily and thereby solve my problem, but I thought "Why stop there?" since we have other customers (on other subnets) using different services such as DSL and Wireless, as well as our own internal network, and our server network. Here is the real question, how would I (assuming its possible with Shorewall) go about setting up a firewall to block or filter ports on multiple subnets? I will briefly describe my network layout with fictitious IP ranges. Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards Managed 24-port Switch hooked to eth0 of core router Server Subnet 10.10.0.0/27 Office (LAN) Subnet 10.10.0.32/27 Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no firewall) Linux Wireless Router (Wireless) 10.10.0.128/25 4 Portmasters (Dial up Users) 10.10.1.0/24 Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 for routed DSL All the subnets pass through the managed switch to the router through its eth0. The most logical place to put the firewall would be between the router and the managed switch. The managed switch is not a layer 3 switch, otherwise this would be a lot easier. Now that you see what I am working with, is this something that shorewall can help me accomplish? If so, and this is a big one, would you help me come up with the configs to do it? Thanks, Jonathan Gnagy Network Administrator Digitaldune Networks Better Business Through Better Networking ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jonathan Gnagy wrote:> Hi, > > I have a question about the functionality and usability of Shorewall as > a firewall for my situation. I am the Network Administrator for an ISP, > and we don''t have a very large network, just a complex one. But the > biggest concern is the amount of infected dial-up users we have, and > they''re constant attacks that they unleash on each other and on the > internet as a whole. I was told by the owner that we need to find a way > to stop the complaints from other ISP''s about our customers attacking > them. I am confident that I have enough knowledge about shorewall''s > configuration to isolate the dial up customers (since they are all on > one subnet) easily and thereby solve my problem, but I thought "Why stop > there?" since we have other customers (on other subnets) using different > services such as DSL and Wireless, as well as our own internal network, > and our server network. > > Here is the real question, how would I (assuming its possible with > Shorewall) go about setting up a firewall to block or filter ports on > multiple subnets? I will briefly describe my network layout with > fictitious IP ranges. > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > Managed 24-port Switch hooked to eth0 of core routerAre the different subnets also on different VLANs, or do you have them all on the same broadcast (layer 2) domain? Assuming the switch supports VLANs and VLAN trunking (802.1Q), you could do a separate VLAN interface for each subnet on the Shorewall box. From there, the configuration would be similar to any other firewall. -Wayne -- Wayne A. Tucker IT and Network Operations Manager wtucker@donobi.com DONOBI, Inc. <http://www.donobi.com/> +1-360-782-4477 "The Internet Solutions Company" ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> Hi, > > I have a question about the functionality and usability of Shorewall as > a firewall for my situation. I am the Network Administrator for an ISP, > and we don''t have a very large network, just a complex one. But the > biggest concern is the amount of infected dial-up users we have, and > they''re constant attacks that they unleash on each other and on the > internet as a whole. I was told by the owner that we need to find a way > to stop the complaints from other ISP''s about our customers attacking > them. I am confident that I have enough knowledge about shorewall''s > configuration to isolate the dial up customers (since they are all on > one subnet) easily and thereby solve my problem, but I thought "Why stop > there?" since we have other customers (on other subnets) using different > services such as DSL and Wireless, as well as our own internal network, > and our server network. > > Here is the real question, how would I (assuming its possible with > Shorewall) go about setting up a firewall to block or filter ports on > multiple subnets? I will briefly describe my network layout with > fictitious IP ranges. > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > Managed 24-port Switch hooked to eth0 of core router > > Server Subnet 10.10.0.0/27 > > Office (LAN) Subnet 10.10.0.32/27 > > Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs nofirewall)> > Linux Wireless Router (Wireless) 10.10.0.128/25 > > 4 Portmasters (Dial up Users) 10.10.1.0/24 > > Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 for > routed DSL > > > All the subnets pass through the managed switch to the router through > its eth0. The most logical place to put the firewall would be between > the router and the managed switch. The managed switch is not a layer 3 > switch, otherwise this would be a lot easier. > > Now that you see what I am working with, is this something that > shorewall can help me accomplish? If so, and this is a big one, would > you help me come up with the configs to do it? > > Thanks, > > Jonathan GnagyWhat ports do you want to block outbound? smtp? Yes that is possible, just use the dest port column in the rules, something like: REJECT:info loc:!<ips of real mail servers> net tcp 25 The ":!<ips of real mail servers>" part would exclude your mail servers. Now just scan the log for the ipaddresses that get logged by this rule. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
I have a suggestion, not to get too off topic, but my university has a very effective way of handling this type of situation with infected users on campus. Once an infected machine is detected they redirect all outgoing http from that machine to a special webpage with instructions on removing whatever malware they have. That way the user is essentially cut off from the internet until they resolve their issue, and are at the same time instantly educated about the problem and the solution. Just my two cents, but it seems a very effective method. - Matt> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf Of > Jonathan Gnagy > Sent: Thursday, July 07, 2005 2:50 PM > To: shorewall-users@lists.sourceforge.net > Subject: [Shorewall-users] Multiple Subnets > > Hi, > > I have a question about the functionality and usability of Shorewall > as a firewall for my situation. I am the Network Administrator for an > ISP, and we don''t have a very large network, just a complex one. But > the biggest concern is the amount of infected dial-up users we have, > and they''re constant attacks that they unleash on each other and on > the internet as a whole. I was told by the owner that we need to find > a way to stop the complaints from other ISP''s about our customers > attacking them. I am confident that I have enough knowledge about > shorewall''s configuration to isolate the dial up customers (since they > are all on one subnet) easily and thereby solve my problem, but I > thought "Why stop there?" since we have other customers (on other > subnets) using different services such as DSL and Wireless, as well as > our own internal network, and our server network. > > Here is the real question, how would I (assuming its possible with > Shorewall) go about setting up a firewall to block or filter ports on > multiple subnets? I will briefly describe my network layout with > fictitious IP ranges. > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > Managed 24-port Switch hooked to eth0 of core router > > Server Subnet 10.10.0.0/27 > > Office (LAN) Subnet 10.10.0.32/27 > > Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no > firewall) > > Linux Wireless Router (Wireless) 10.10.0.128/25 > > 4 Portmasters (Dial up Users) 10.10.1.0/24 > > Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 > for routed DSL > > > All the subnets pass through the managed switch to the router through > its eth0. The most logical place to put the firewall would be between > the router and the managed switch. The managed switch is not a layer > 3 switch, otherwise this would be a lot easier. > > Now that you see what I am working with, is this something that > shorewall can help me accomplish? If so, and this is a big one, would > you help me come up with the configs to do it? > > Thanks, > > Jonathan Gnagy > Network Administrator > Digitaldune Networks > Better Business Through Better Networking > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Matt, In the meantime, im having this problem too. Most of the infected users are trying to scan all local IPs on an attempts of port 80. The squid server was struggling to handle too many http attempts. What programs do you use to detect those infected machine? I cant find any good ones though. On 7/8/05, Matt Cyber Dog LaPlante <mcd@cyberdogtech.com> wrote:> I have a suggestion, not to get too off topic, but my university has a very > effective way of handling this type of situation with infected users on > campus. Once an infected machine is detected they redirect all outgoing > http from that machine to a special webpage with instructions on removing > whatever malware they have. That way the user is essentially cut off from > the internet until they resolve their issue, and are at the same time > instantly educated about the problem and the solution. Just my two cents, > but it seems a very effective method. > > - > Matt > > > -----Original Message----- > > From: shorewall-users-admin@lists.sourceforge.net > > [mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf Of > > Jonathan Gnagy > > Sent: Thursday, July 07, 2005 2:50 PM > > To: shorewall-users@lists.sourceforge.net > > Subject: [Shorewall-users] Multiple Subnets > > > > Hi, > > > > I have a question about the functionality and usability of Shorewall > > as a firewall for my situation. I am the Network Administrator for an > > ISP, and we don''t have a very large network, just a complex one. But > > the biggest concern is the amount of infected dial-up users we have, > > and they''re constant attacks that they unleash on each other and on > > the internet as a whole. I was told by the owner that we need to find > > a way to stop the complaints from other ISP''s about our customers > > attacking them. I am confident that I have enough knowledge about > > shorewall''s configuration to isolate the dial up customers (since they > > are all on one subnet) easily and thereby solve my problem, but I > > thought "Why stop there?" since we have other customers (on other > > subnets) using different services such as DSL and Wireless, as well as > > our own internal network, and our server network. > > > > Here is the real question, how would I (assuming its possible with > > Shorewall) go about setting up a firewall to block or filter ports on > > multiple subnets? I will briefly describe my network layout with > > fictitious IP ranges. > > > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > > > Managed 24-port Switch hooked to eth0 of core router > > > > Server Subnet 10.10.0.0/27 > > > > Office (LAN) Subnet 10.10.0.32/27 > > > > Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no > > firewall) > > > > Linux Wireless Router (Wireless) 10.10.0.128/25 > > > > 4 Portmasters (Dial up Users) 10.10.1.0/24 > > > > Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 > > for routed DSL > > > > > > All the subnets pass through the managed switch to the router through > > its eth0. The most logical place to put the firewall would be between > > the router and the managed switch. The managed switch is not a layer > > 3 switch, otherwise this would be a lot easier. > > > > Now that you see what I am working with, is this something that > > shorewall can help me accomplish? If so, and this is a big one, would > > you help me come up with the configs to do it? > > > > Thanks, > > > > Jonathan Gnagy > > Network Administrator > > Digitaldune Networks > > Better Business Through Better Networking > > > > > > ------------------------------------------------------- > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > > from IBM. Find simple to follow Roadmaps, straightforward articles, > > informative Webcasts and more! Get everything you need to get up to > > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Here''s a web page with our campus policy: http://helpdesk.rpi.edu/update.do?artcenterkey=420 As you can see, they detect the traffic based on suspicious activity, logs, or complaints. I''m sure you can use any number of scanners to detect infected machines if you want to be proactive. I know Time Warner often does this with their Road Runner networks. Once an infected machine is found, DHCP is used (since most of these ISP network situations are dynamic), to simply provide unique info causing the infected host to be routed, or contained, to a specific site. Of course, since you control the host IP via DHCP, it''s really only a minor issue to route the incoming traffic wherever you want. As long as you confine them to a given subnet, or have an active list of blocked IPs, you can do anything from dropping all access to redirecting traffic to webpages such as this. I believe I just read about an Australian (?) ISP that''s implementing this same sort of technique on their networks after having a lot of trouble with infected machines. I think its great that more admins are becoming proactive with these problems. Let me know if I can be of any more assistance, I''ll help if I can! - Matt> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users- > admin@lists.sourceforge.net] On Behalf Of Wong Chee Chun > Sent: Friday, July 08, 2005 1:00 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Multiple Subnets > > Matt, > > In the meantime, im having this problem too. Most of the infected > users are trying to scan all local IPs on an attempts of port 80. The > squid server was struggling to handle too many http attempts. What > programs do you use to detect those infected machine? I cant find any > good ones though. > > On 7/8/05, Matt Cyber Dog LaPlante <mcd@cyberdogtech.com> wrote: > > I have a suggestion, not to get too off topic, but my university has a > very > > effective way of handling this type of situation with infected users on > > campus. Once an infected machine is detected they redirect all outgoing > > http from that machine to a special webpage with instructions on > removing > > whatever malware they have. That way the user is essentially cut off > from > > the internet until they resolve their issue, and are at the same time > > instantly educated about the problem and the solution. Just my two > cents, > > but it seems a very effective method. > > > > - > > Matt > > > > > -----Original Message----- > > > From: shorewall-users-admin@lists.sourceforge.net > > > [mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf Of > > > Jonathan Gnagy > > > Sent: Thursday, July 07, 2005 2:50 PM > > > To: shorewall-users@lists.sourceforge.net > > > Subject: [Shorewall-users] Multiple Subnets > > > > > > Hi, > > > > > > I have a question about the functionality and usability of Shorewall > > > as a firewall for my situation. I am the Network Administrator for an > > > ISP, and we don''t have a very large network, just a complex one. But > > > the biggest concern is the amount of infected dial-up users we have, > > > and they''re constant attacks that they unleash on each other and on > > > the internet as a whole. I was told by the owner that we need to find > > > a way to stop the complaints from other ISP''s about our customers > > > attacking them. I am confident that I have enough knowledge about > > > shorewall''s configuration to isolate the dial up customers (since they > > > are all on one subnet) easily and thereby solve my problem, but I > > > thought "Why stop there?" since we have other customers (on other > > > subnets) using different services such as DSL and Wireless, as well as > > > our own internal network, and our server network. > > > > > > Here is the real question, how would I (assuming its possible with > > > Shorewall) go about setting up a firewall to block or filter ports on > > > multiple subnets? I will briefly describe my network layout with > > > fictitious IP ranges. > > > > > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > > > > > Managed 24-port Switch hooked to eth0 of core router > > > > > > Server Subnet 10.10.0.0/27 > > > > > > Office (LAN) Subnet 10.10.0.32/27 > > > > > > Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no > > > firewall) > > > > > > Linux Wireless Router (Wireless) 10.10.0.128/25 > > > > > > 4 Portmasters (Dial up Users) 10.10.1.0/24 > > > > > > Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 > > > for routed DSL > > > > > > > > > All the subnets pass through the managed switch to the router through > > > its eth0. The most logical place to put the firewall would be between > > > the router and the managed switch. The managed switch is not a layer > > > 3 switch, otherwise this would be a lot easier. > > > > > > Now that you see what I am working with, is this something that > > > shorewall can help me accomplish? If so, and this is a big one, would > > > you help me come up with the configs to do it? > > > > > > Thanks, > > > > > > Jonathan Gnagy > > > Network Administrator > > > Digitaldune Networks > > > Better Business Through Better Networking > > > > > > > > > ------------------------------------------------------- > > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > > > from IBM. Find simple to follow Roadmaps, straightforward articles, > > > informative Webcasts and more! Get everything you need to get up to > > > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar > happening > > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > > core and dual graphics technology at this free one hour event hosted by > HP, > > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar > happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by > HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
I don''t know how good a tool (by itself) Shorewall is to protect your customers from each other. By isolating the dial up customers into a VLAN or subnet, does little to stop spew their spyware/malware to machines on the Internet or each other. I can think of a few effective uses of shorewall in your situation: -Limit SMTP traffic to your mail server, and select others as requested by your customers. -Block some common trojan/virus ports. (here is a list: http://www.doshelp.com/Ports/Trojan_Ports.htm ) -Block some subnets that are full of nothing but malicious hackers ( http://www.dshield.org/ ) Otherwise, I think what shorewall can do that far upstream at an ISP is limited.> > > -----Original Message----- > > From: shorewall-users-admin@lists.sourceforge.net > > [mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf Of > > Jonathan Gnagy > > Sent: Thursday, July 07, 2005 2:50 PM > > To: shorewall-users@lists.sourceforge.net > > Subject: [Shorewall-users] Multiple Subnets > > > > Hi, > > > > I have a question about the functionality and usability of Shorewall > > as a firewall for my situation. I am the Network Administrator for an > > ISP, and we don''t have a very large network, just a complex one. But > > the biggest concern is the amount of infected dial-up users we have, > > and they''re constant attacks that they unleash on each other and on > > the internet as a whole. I was told by the owner that we need to find > > a way to stop the complaints from other ISP''s about our customers > > attacking them. I am confident that I have enough knowledge about > > shorewall''s configuration to isolate the dial up customers (since they > > are all on one subnet) easily and thereby solve my problem, but I > > thought "Why stop there?" since we have other customers (on other > > subnets) using different services such as DSL and Wireless, as well as > > our own internal network, and our server network. > > > > Here is the real question, how would I (assuming its possible with > > Shorewall) go about setting up a firewall to block or filter ports on > > multiple subnets? I will briefly describe my network layout with > > fictitious IP ranges. > > > > Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > > > > Managed 24-port Switch hooked to eth0 of core router > > > > Server Subnet 10.10.0.0/27 > > > > Office (LAN) Subnet 10.10.0.32/27 > > > > Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no > > firewall) > > > > Linux Wireless Router (Wireless) 10.10.0.128/25 > > > > 4 Portmasters (Dial up Users) 10.10.1.0/24 > > > > Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and 10.10.2.128/25 > > for routed DSL > > > > > > All the subnets pass through the managed switch to the router through > > its eth0. The most logical place to put the firewall would be between > > the router and the managed switch. The managed switch is not a layer > > 3 switch, otherwise this would be a lot easier. > > > > Now that you see what I am working with, is this something that > > shorewall can help me accomplish? If so, and this is a big one, would > > you help me come up with the configs to do it? > > > > Thanks, > > > > Jonathan Gnagy > > Network Administrator > > Digitaldune Networks > > Better Business Through Better Networking > > > > > > ------------------------------------------------------- > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > > from IBM. Find simple to follow Roadmaps, straightforward articles, > > informative Webcasts and more! Get everything you need to get up to > > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Ihmmm... How did you know when a machine is infected over shorewall ?? Thanks... On Fri, 8 Jul 2005 07:08:40 -0400, Cyber Dog\ wrote:>I have a suggestion, not to get too off topic, but my university >has a very effective way of handling this type of situation with >infected users on campus. Once an infected machine is detected >they redirect all outgoing http from that machine to a special >webpage with instructions on removing whatever malware they have. >That way the user is essentially cut off from the internet until >they resolve their issue, and are at the same time instantly >educated about the problem and the solution. Just my two cents, >but it seems a very effective method. > >- >Matt > >>-----Original Message----- >>From: shorewall-users-admin@lists.sourceforge.net >>[mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf >>Of Jonathan Gnagy Sent: Thursday, July 07, 2005 2:50 PM To: >>shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] >>Multiple Subnets >> >>Hi, >> >>I have a question about the functionality and usability of >>Shorewall as a firewall for my situation. I am the Network >>Administrator for an ISP, and we don''t have a very large network, >>just a complex one. But the biggest concern is the amount of >>infected dial-up users we have, and they''re constant attacks that >>they unleash on each other and on the internet as a whole. I was >>told by the owner that we need to find a way to stop the >>complaints from other ISP''s about our customers attacking them. >>I am confident that I have enough knowledge about shorewall''s >>configuration to isolate the dial up customers (since they are >>all on one subnet) easily and thereby solve my problem, but I >>thought "Why stop there?" since we have other customers (on other >>subnets) using different services such as DSL and Wireless, as >>well as our own internal network, and our server network. >> >>Here is the real question, how would I (assuming its possible >>with Shorewall) go about setting up a firewall to block or filter >>ports on multiple subnets? I will briefly describe my network >>layout with fictitious IP ranges. >> >>Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards >> >>Managed 24-port Switch hooked to eth0 of core router >> >>Server Subnet 10.10.0.0/27 >> >>Office (LAN) Subnet 10.10.0.32/27 >> >>Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no >>firewall) >> >>Linux Wireless Router (Wireless) 10.10.0.128/25 >> >>4 Portmasters (Dial up Users) 10.10.1.0/24 >> >>Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and >>10.10.2.128/25 for routed DSL >> >> >>All the subnets pass through the managed switch to the router >>through its eth0. The most logical place to put the firewall >>would be between the router and the managed switch. The managed >>switch is not a layer 3 switch, otherwise this would be a lot >>easier. >> >>Now that you see what I am working with, is this something that >>shorewall can help me accomplish? If so, and this is a big one, >>would you help me come up with the configs to do it? >> >>Thanks, >> >>Jonathan Gnagy >>Network Administrator >>Digitaldune Networks >>Better Business Through Better Networking >> >> >>------------------------------------------------------- SF.Net >>email is sponsored by: Discover Easy Linux Migration Strategies >>from IBM. Find simple to follow Roadmaps, straightforward >>articles, informative Webcasts and more! Get everything you need >>to get up to speed, fast. >>http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click >>_______________________________________________ Shorewall-users >>mailing list Shorewall-users@lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- >This SF.Net email is sponsored by the ''Do More With Dual!'' webinar >happening July 14 at 8am PDT/11am EDT. We invite you to explore the >latest in dual core and dual graphics technology at this free one >hour event hosted by HP, AMD, and NVIDIA. To register visit >http://www.hp.com/go/dualwebinar >_______________________________________________ Shorewall-users >mailing list Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-usersCarlos Arnt Diretor Tcnico Key solues em Internet Av. das americas 500 bl 03 sala 204 Tel: (021) 2492-1666 Voip rede mundial: 9000 ou 9500 E-mail: solucoes@key.com.br ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Shorewall of course isn''t responsible for finding the infected machines. There''s any number of methods including monitoring server logs for incoming attempts on known virus ports, or using any vulnerability scanner such as the free nessus or commercial antivirus products. Products such as nessus are great since they can automatically export all discoveries to a database doing much of the automation for you. In the end though, it''s a choice for the developer to make. - Matt> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users- > admin@lists.sourceforge.net] On Behalf Of Carlos Arnt > Sent: Wednesday, July 13, 2005 4:43 PM > To: shorewall-users@lists.sourceforge.net > Subject: RE: [Shorewall-users] Multiple Subnets (Virus Behaviors) > > Ihmmm... > How did you know when a machine is infected over shorewall ?? > > Thanks... > > On Fri, 8 Jul 2005 07:08:40 -0400, Cyber Dog\ wrote: > > I have a suggestion, not to get too off topic, but my university > > has a very effective way of handling this type of situation with > > infected users on campus. Once an infected machine is detected > > they redirect all outgoing http from that machine to a special > > webpage with instructions on removing whatever malware they have. > > That way the user is essentially cut off from the internet until > > they resolve their issue, and are at the same time instantly > > educated about the problem and the solution. Just my two cents, > > but it seems a very effective method. > > > > - > > Matt > > > >> -----Original Message----- > >> From: shorewall-users-admin@lists.sourceforge.net > >> [mailto:shorewall-users- admin@lists.sourceforge.net] On Behalf > >> Of Jonathan Gnagy Sent: Thursday, July 07, 2005 2:50 PM To: > >> shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] > >> Multiple Subnets > >> > >> Hi, > >> > >> I have a question about the functionality and usability of > >> Shorewall as a firewall for my situation. I am the Network > >> Administrator for an ISP, and we don''t have a very large network, > >> just a complex one. But the biggest concern is the amount of > >> infected dial-up users we have, and they''re constant attacks that > >> they unleash on each other and on the internet as a whole. I was > >> told by the owner that we need to find a way to stop the > >> complaints from other ISP''s about our customers attacking them. > >> I am confident that I have enough knowledge about shorewall''s > >> configuration to isolate the dial up customers (since they are > >> all on one subnet) easily and thereby solve my problem, but I > >> thought "Why stop there?" since we have other customers (on other > >> subnets) using different services such as DSL and Wireless, as > >> well as our own internal network, and our server network. > >> > >> Here is the real question, how would I (assuming its possible > >> with Shorewall) go about setting up a firewall to block or filter > >> ports on multiple subnets? I will briefly describe my network > >> layout with fictitious IP ranges. > >> > >> Core Router: Cisco 7200 with 4 T1''s and an 2 fast-Ethernet cards > >> > >> Managed 24-port Switch hooked to eth0 of core router > >> > >> Server Subnet 10.10.0.0/27 > >> > >> Office (LAN) Subnet 10.10.0.32/27 > >> > >> Cisco 2600 (Corporate Microwave Link) w/ 10.10.0.64/26 (needs no > >> firewall) > >> > >> Linux Wireless Router (Wireless) 10.10.0.128/25 > >> > >> 4 Portmasters (Dial up Users) 10.10.1.0/24 > >> > >> Cisco 2600 (DSL Router) 10.10.2.0/25 for Bridged and > >> 10.10.2.128/25 for routed DSL > >> > >> > >> All the subnets pass through the managed switch to the router > >> through its eth0. The most logical place to put the firewall > >> would be between the router and the managed switch. The managed > >> switch is not a layer 3 switch, otherwise this would be a lot > >> easier. > >> > >> Now that you see what I am working with, is this something that > >> shorewall can help me accomplish? If so, and this is a big one, > >> would you help me come up with the configs to do it? > >> > >> Thanks, > >> > >> Jonathan Gnagy > >> Network Administrator > >> Digitaldune Networks > >> Better Business Through Better Networking > >> > >> > >> ------------------------------------------------------- SF.Net > >> email is sponsored by: Discover Easy Linux Migration Strategies > >> from IBM. Find simple to follow Roadmaps, straightforward > >> articles, informative Webcasts and more! Get everything you need > >> to get up to speed, fast. > >> http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > >> _______________________________________________ Shorewall-users > >> mailing list Shorewall-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar > > happening July 14 at 8am PDT/11am EDT. We invite you to explore the > > latest in dual core and dual graphics technology at this free one > > hour event hosted by HP, AMD, and NVIDIA. To register visit > > http://www.hp.com/go/dualwebinar > > _______________________________________________ Shorewall-users > > mailing list Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > Carlos Arnt > Diretor Ticnico > Key solugues em Internet > Av. das americas 500 bl 03 sala 204 > Tel: (021) 2492-1666 > Voip rede mundial: 9000 ou 9500 > E-mail: solucoes@key.com.br > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar > happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by > HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar