Hi all,
I''m a little confused in a setup I''m trying to do an need to
ask all you
pro''s out there if I''m doing this right.
I have a Bering-uClibc machine setup as a router, (It is to REPLACE an old
2600 series cisco machine, the 2600 series only having 10Base-T).
The new machine is a Pentium 4 3.4GHz, 1000/100/10 NIC''s etc)
The machine is running Zebra (as I have 2 class C''s soon to be setup
with
BGP I''m just waiting on my AS number). Zebra doesn''t really
have the
equivalent of cisco ACL''s so I thought I could run shorewall on the
same
machine.
eth0 is connected via a switch that is then connected to my ISP via fibre.
(Hence wanting to move to 100Mbit NIC''s)
I have a /30 between me and the ISP at the moment (again this will change
once I get my AS number and setup BGP).
firewall# ip route
123.94.130.156/30 dev eth0 proto kernel scope link src 123.94.130.158
123.8.109.0/24 dev eth1 proto kernel scope link src 123.8.109.1
123.94.147.0/24 dev eth1 proto kernel scope link src 123.94.147.1
default via 123.94.130.157 dev eth0 proto zebra equalize
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:03:ff:9e:99:9b brd ff:ff:ff:ff:ff:ff
inet 123.94.130.158/30 brd 123.94.130.159 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:03:ff:9f:99:9b brd ff:ff:ff:ff:ff:ff
inet 123.94.147.1/24 brd 123.94.147.255 scope global eth1
inet 123.8.109.1/24 brd 123.8.109.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:03:ff:90:99:9b brd ff:ff:ff:ff:ff:ff
inet 10.10.100.1/24 brd 10.0.100.1 scope global eth2
What I thought I could do is Proxy ARP the 123.94.147.x machines but
I''m
confused in how to do this as the machine that is the router will also be
the shorewall machine.
Does/has any one got any ideas how I can setup this machine. I don''t
want to
NAT/MASQ/Can''t remember what you call it. the servers just yet, I would
like
them to still have "live" IP''s on them. (Partly due to
migration (were
talking about 100+ servers) and my boss wanting to be able to plug the door
stop cisco 2600 back in if things go belly up).
So really in short I would like to setup my Bering-uClibc machine as a
router (which I have this bit working ;) ) but it''s the setup of
shorewall
I''m confused with. Is it possible to do with shorewall what I want to
do?
Cheers and thanks in advance
Ad
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> Hi all, > > I''m a little confused in a setup I''m trying to do an need to ask all you > pro''s out there if I''m doing this right. > I have a Bering-uClibc machine setup as a router, (It is to REPLACE an old > 2600 series cisco machine, the 2600 series only having 10Base-T). > The new machine is a Pentium 4 3.4GHz, 1000/100/10 NIC''s etc) > The machine is running Zebra (as I have 2 class C''s soon to be setup with > BGP I''m just waiting on my AS number). Zebra doesn''t really have the > equivalent of cisco ACL''s so I thought I could run shorewall on the same > machine. > > eth0 is connected via a switch that is then connected to my ISP via fibre. > (Hence wanting to move to 100Mbit NIC''s) > > I have a /30 between me and the ISP at the moment (again this will change > once I get my AS number and setup BGP). > firewall# ip route > 123.94.130.156/30 dev eth0 proto kernel scope link src 123.94.130.158 > 123.8.109.0/24 dev eth1 proto kernel scope link src 123.8.109.1 > 123.94.147.0/24 dev eth1 proto kernel scope link src 123.94.147.1 > default via 123.94.130.157 dev eth0 proto zebra equalize > > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:9e:99:9b brd ff:ff:ff:ff:ff:ff > inet 123.94.130.158/30 brd 123.94.130.159 scope global eth0 > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:9f:99:9b brd ff:ff:ff:ff:ff:ff > inet 123.94.147.1/24 brd 123.94.147.255 scope global eth1 > inet 123.8.109.1/24 brd 123.8.109.255 scope global eth1 > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:90:99:9b brd ff:ff:ff:ff:ff:ff > inet 10.10.100.1/24 brd 10.0.100.1 scope global eth2 > > What I thought I could do is Proxy ARP the 123.94.147.x machines but I''m > confused in how to do this as the machine that is the router will also be > the shorewall machine. > > Does/has any one got any ideas how I can setup this machine. I don''t want to > NAT/MASQ/Can''t remember what you call it. the servers just yet, I would like > them to still have "live" IP''s on them. (Partly due to migration (were > talking about 100+ servers) and my boss wanting to be able to plug the door > stop cisco 2600 back in if things go belly up). > > So really in short I would like to setup my Bering-uClibc machine as a > router (which I have this bit working ;) ) but it''s the setup of shorewall > I''m confused with. Is it possible to do with shorewall what I want to do? > > Cheers and thanks in advance > AdAnswers to some of your questions can be found here: http://www.shorewall.net/shorewall_setup_guide.htm I''d need to know how the isp is handling your address space, looks like routed to me. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Hi Jerry, I have read the documentation and DO have an understanding of shorewall, (but only where I have a single/multiple live IP''s but an upstream router, wether it be a cisco box or a leaf-bering machine). In the setup I wish to do here I need to run shorewall ON the router as such. So things like proxy arp in the documentation etc doesn''t quite make sense. At the moment the ISP is routing the 2 class C''s to my cisco router (which my bering machine will replace using zebra) there is a small /30 between me and the ISP.. My isp have 123.94.130.157 on there end I have 123.94.130.158 on eth0, the default route being route 0.0.0.0 0.0.0.0 123.94.130.157. Cheers Ad ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, August 02, 2005 10:52 PM Subject: Re: [Shorewall-users] Setting up Shorewall ON the router> Hi all, > > I''m a little confused in a setup I''m trying to do an need to ask all you > pro''s out there if I''m doing this right. > I have a Bering-uClibc machine setup as a router, (It is to REPLACE an old > 2600 series cisco machine, the 2600 series only having 10Base-T). > The new machine is a Pentium 4 3.4GHz, 1000/100/10 NIC''s etc) > The machine is running Zebra (as I have 2 class C''s soon to be setup with > BGP I''m just waiting on my AS number). Zebra doesn''t really have the > equivalent of cisco ACL''s so I thought I could run shorewall on the same > machine. > > eth0 is connected via a switch that is then connected to my ISP via fibre. > (Hence wanting to move to 100Mbit NIC''s) > > I have a /30 between me and the ISP at the moment (again this will change > once I get my AS number and setup BGP). > firewall# ip route > 123.94.130.156/30 dev eth0 proto kernel scope link src 123.94.130.158 > 123.8.109.0/24 dev eth1 proto kernel scope link src 123.8.109.1 > 123.94.147.0/24 dev eth1 proto kernel scope link src 123.94.147.1 > default via 123.94.130.157 dev eth0 proto zebra equalize > > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:9e:99:9b brd ff:ff:ff:ff:ff:ff > inet 123.94.130.158/30 brd 123.94.130.159 scope global eth0 > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:9f:99:9b brd ff:ff:ff:ff:ff:ff > inet 123.94.147.1/24 brd 123.94.147.255 scope global eth1 > inet 123.8.109.1/24 brd 123.8.109.255 scope global eth1 > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:03:ff:90:99:9b brd ff:ff:ff:ff:ff:ff > inet 10.10.100.1/24 brd 10.0.100.1 scope global eth2 > > What I thought I could do is Proxy ARP the 123.94.147.x machines but I''m > confused in how to do this as the machine that is the router will also be > the shorewall machine. > > Does/has any one got any ideas how I can setup this machine. I don''t want > to > NAT/MASQ/Can''t remember what you call it. the servers just yet, I would > like > them to still have "live" IP''s on them. (Partly due to migration (were > talking about 100+ servers) and my boss wanting to be able to plug the > door > stop cisco 2600 back in if things go belly up). > > So really in short I would like to setup my Bering-uClibc machine as a > router (which I have this bit working ;) ) but it''s the setup of shorewall > I''m confused with. Is it possible to do with shorewall what I want to do? > > Cheers and thanks in advance > AdAnswers to some of your questions can be found here: http://www.shorewall.net/shorewall_setup_guide.htm I''d need to know how the isp is handling your address space, looks like routed to me. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Adam Niedzwiedzki wrote:> Hi Jerry, > > I have read the documentation and DO have an understanding of shorewall, > (but only where I have a single/multiple live IP''s but an upstream > router, wether it be a cisco box or a leaf-bering machine). In the setup > I wish to do here I need to run shorewall ON the router as such. So > things like proxy arp in the documentation etc doesn''t quite make sense. >Adam, Feature like NAT, MASQ and Proxy ARP are provided primarily to deal with routing inadequacies. If you don''t need them then don''t use them!!!!! The rest of the firewall configuration features (zones, rules, policies, actions, ...) do not in any way depend on them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Fantastic, thats the first of my worries out of the way, now the actually part of, if I''m not using any of them and with my setup I''m not sure were I "slot" shorewall in. eth0 is connected to my ISP (routed via a /30) eth1 is my internal interface and has both of my class C''s .1 address on it, (my servers all use this address as there gateway IP). I know this is going to seem like such a lame question but is it as simple as setting up my interfaces the same as normal. ZONE INTERFACE net eth0 ... loc eth1 ... What I''m getting at is there any issues with have routed IP''s and the machine the firewall is on is also the router? I have only ever setup shorewall as a firewall only with a router upstream and the DMZ nat''d. If it is just "normal" and I''m looking way to far into it, slap me around the head noow and I''ll go and test. Cheers Ad ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Wednesday, August 03, 2005 8:22 AM Subject: Re: [Shorewall-users] Setting up Shorewall ON the router Adam Niedzwiedzki wrote:> Hi Jerry, > > I have read the documentation and DO have an understanding of shorewall, > (but only where I have a single/multiple live IP''s but an upstream > router, wether it be a cisco box or a leaf-bering machine). In the setup > I wish to do here I need to run shorewall ON the router as such. So > things like proxy arp in the documentation etc doesn''t quite make sense. >Adam, Feature like NAT, MASQ and Proxy ARP are provided primarily to deal with routing inadequacies. If you don''t need them then don''t use them!!!!! The rest of the firewall configuration features (zones, rules, policies, actions, ...) do not in any way depend on them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Adam Niedzwiedzki wrote:> > What I''m getting at is there any issues with have routed IP''s and the > machine the firewall is on is also the router?Adam, Unless it''s configured as a bridge, EVERY SHOREWALL SYSTEM WITH MORE THAN ONE INTERFACE IS A ROUTER. Not having to use these other crutches (MASQ, Proxy ARP, etc) makes you job easier, not harder.> I have only ever setup > shorewall as a firewall only with a router upstream and the DMZ nat''d. > If it is just "normal" and I''m looking way to far into it, slap me > around the head noow and I''ll go and test.Consider yourself slapped :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
*snicker* Ahh how come I just knew I was gonna get that.. Cheers Tom and thanks again that''s just made things too easy ;) Regards Adam ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Wednesday, August 03, 2005 9:43 AM Subject: Re: [Shorewall-users] Setting up Shorewall ON the router Adam Niedzwiedzki wrote:> > What I''m getting at is there any issues with have routed IP''s and the > machine the firewall is on is also the router?Adam, Unless it''s configured as a bridge, EVERY SHOREWALL SYSTEM WITH MORE THAN ONE INTERFACE IS A ROUTER. Not having to use these other crutches (MASQ, Proxy ARP, etc) makes you job easier, not harder.> I have only ever setup > shorewall as a firewall only with a router upstream and the DMZ nat''d. > If it is just "normal" and I''m looking way to far into it, slap me > around the head noow and I''ll go and test.Consider yourself slapped :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Adam Niedzwiedzki wrote:> *snicker* > > Ahh how come I just knew I was gonna get that.. > Cheers Tom and thanks again that''s just made things too easy ;) >Basically, if your routing is working the way you want it then adding the firewall rules is the easy part. You shouldn''t have any problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Adam Niedzwiedzki wrote:> > So really in short I would like to setup my Bering-uClibc machine as a > router (which I have this bit working ;) ) but it''s the setup of > shorewall I''m confused with. Is it possible to do with shorewall what I > want to do? >"Figure 14-1 Iptables Packet Flow Diagram" in http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm might help you visualize where packet routing and and packet filtering are done. I am sure there is a similar picture somewhere in the corpus of Shorewall documentation. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click