Shorewall users - Jul 2005 - Multiple Internet IP to Local Server at Datacenter

Hi List,

This is my first posting, hopefully you guys dont mind for my newbie
questions that I''m gonna post. And please excuse my English :)

First of all let me explain my current situation.

My servers are hosted in a datacenter with currently 6IP''s address
assigned to me by my ISP. Each of the servers has its own internet IP
address which the servers are running on Web server (Apache with Virtual
hosts, mySQL), Mail Servers (Postfix, Webmails, POP3) and FTP servers
(Virtual hosts).


The cuurent setup looks like the below diagram.



Internet <-> ISP Gateway <-> ISP Switch <-> Web Server 1
202.93.xxx.5
	    202.93.xxx.1	        <-> Web Server 2 202.93.xxx.6
					<-> Mail Server 1 202.93.xxx.7
					<-> Mail Server 2 202.93.xxx.8
					<-> FTP Server 1 202.93.xxx.9

What i''m thinking right now to place Shorewall Firewall server in the
middle of ISP Switch and my server so it could filter out unwanted
packets. The setup that came across my mind :

Internet <-> ISP Gateway <-> ISP Switch <-> Shorewall FW
	    202.93.xxx.1	           202.93.xxx.4
					    	|
						|

					      Switch

						|
						|
				<-> Web Server 1 202.93.xxx.5
				<-> Web Server 2 202.93.xxx.6
				<-> Mail Server 1 202.93.xxx.7
				<-> Mail Server 2 202.93.xxx.8
				<-> FTP Server 1 202.93.xxx.9

Now the Question is :

1. Is it possible to setup such way as the above diagram ? If NO,
appreciate someone could shade some lights on the correct setup.
2. Can Shorewall translate Apache Virtual Hosts IP''s so it knows which
servers to pass through ? Same goes to FTP, Mails, etc.
3. Any prons and cons doing this way of setup ? Would it hurt the firewall
server in terms of bandwidth and processors ?
4. Or does I need to use local ip rather than my internet IP''s for the
servers ?
5. Can IDS runs together with Shorewall in the same box ?

Really appreciate if someone could assist me on this.

Thanks.

Regards,

Hafiz

> My servers are hosted in a datacenter with currently 6IP''s address
> assigned to me by my ISP. Each of the servers has its own internet IP
> address which the servers are running on Web server (Apache with Virtual
> hosts, mySQL), Mail Servers (Postfix, Webmails, POP3) and FTP servers
> (Virtual hosts).
>
<snip>
> 1. Is it possible to setup such way as the above diagram ? If NO,
> appreciate someone could shade some lights on the correct setup.
Yes, 202.93.xxx.zzz are public, I''d look to use proxyarp. It''s
in the Docs.
> 2. Can Shorewall translate Apache Virtual Hosts IP''s so it knows
which
> servers to pass through ? Same goes to FTP, Mails, etc.
No, that is a dns issue. You define the allowed traffic by port/protocol,
and source/destination(think zones here).
> 3. Any prons and cons doing this way of setup ? Would it hurt the
firewall
> server in terms of bandwidth and processors ?
Should be fine.
> 4. Or does I need to use local ip rather than my internet IP''s for
the
> servers ?
You could, that would be 1to1 nat.
> 5. Can IDS runs together with Shorewall in the same box ?
>
Check the archives.
> Really appreciate if someone could assist me on this.
>
> Thanks.
>
Best you have a read of:

http://www.shorewall.net/shorewall_setup_guide.htm

Jerry

I believe the answer to your questions are yes.  As for an IDS, they can 
be very active and would likely slow down the communications to your 
production servers.  For some help you can look here for some howto''s 
for shorewall and IDS''s:
http://www.mybizguard.com/modules/wfsection/

Cheers!
Ken



Hafiz (Variegate) wrote:
>Hi List,
>
>This is my first posting, hopefully you guys dont mind for my newbie
>questions that I''m gonna post. And please excuse my English :)
>
>First of all let me explain my current situation.
>
>My servers are hosted in a datacenter with currently 6IP''s address
>assigned to me by my ISP. Each of the servers has its own internet IP
>address which the servers are running on Web server (Apache with Virtual
>hosts, mySQL), Mail Servers (Postfix, Webmails, POP3) and FTP servers
>(Virtual hosts).
>
>
>The cuurent setup looks like the below diagram.
>
>
>
>Internet <-> ISP Gateway <-> ISP Switch <-> Web Server 1
202.93.xxx.5
>	    202.93.xxx.1	        <-> Web Server 2 202.93.xxx.6
>					<-> Mail Server 1 202.93.xxx.7
>					<-> Mail Server 2 202.93.xxx.8
>					<-> FTP Server 1 202.93.xxx.9
>
>What i''m thinking right now to place Shorewall Firewall server in
the
>middle of ISP Switch and my server so it could filter out unwanted
>packets. The setup that came across my mind :
>
>Internet <-> ISP Gateway <-> ISP Switch <-> Shorewall FW
>	    202.93.xxx.1	           202.93.xxx.4
>					    	|
>						|
>
>					      Switch
>
>						|
>						|
>				<-> Web Server 1 202.93.xxx.5
>				<-> Web Server 2 202.93.xxx.6
>				<-> Mail Server 1 202.93.xxx.7
>				<-> Mail Server 2 202.93.xxx.8
>				<-> FTP Server 1 202.93.xxx.9
>
>Now the Question is :
>
>1. Is it possible to setup such way as the above diagram ? If NO,
>appreciate someone could shade some lights on the correct setup.
>2. Can Shorewall translate Apache Virtual Hosts IP''s so it knows
which
>servers to pass through ? Same goes to FTP, Mails, etc.
>3. Any prons and cons doing this way of setup ? Would it hurt the firewall
>server in terms of bandwidth and processors ?
>4. Or does I need to use local ip rather than my internet IP''s for
the
>servers ?
>5. Can IDS runs together with Shorewall in the same box ?
>
>Really appreciate if someone could assist me on this.
>
>Thanks.
>
>Regards,
>
>Hafiz
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>  
>