Shorewall users - Jan 2006 - Advice please - best hardware/config to combine 3 ISPs

I want to build a robust firewall for a resort installation. The 
resort''s telephony is entirely VOIP, asterisk based. We have the 
following internet feeds:
1) 512/512 kb fixed bandwidth leased line with static IP from Telco- 
primary connection, expensive, to use for VOIP, VPN traffic, mail 
server, SSH access for remote work. Reliable.
2) 256/512 kb ADSL from Telco, not fixed IP - would want to put internal 
browsing traffic on this connection. Less reliable but inexpensive.
3) 256/256 kb Cable TV connection, static IP, not reliable, cannot be 
used for voice, would present our webcam on this external interface and 
use as backup SSH access if telco goes down.

Internally I have two types of users.
Office: Office workers, mail system, file sharing, Point of sale.
Guests: several computers for guest use, WiFi access points for guest''s
own laptops. Internet traffic is mostly browsing, IM, fetching email.


Externally I have:
VPN users accessing computers via VPN or PCAnywhere.
Mail users reading via squirrelmail
Myself accessing via SSH for maintenance.


Currently I have a M0n0wall firewall running on a Soekris 4501 for 
internet 1 which works well but does not allow me to use multiple ISPs.
I would like to replace this firewall with a Shorewall box with 4 
network interfaces.
I want to move the internal users Web Browsing traffic to ISP2
I want to present Live Webcam on ISP3 as it tends to swamp the fixed line.

My biggest concern is that a hard drive based system might fail, leaving 
the resort without Internet and Telephony. What would your 
recommendation be for a mission critical application like this?

-- 
Chris 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Build it on Leaf Bering uClibc.  You can boot that from flash or CDROM, or
do like I do and boot from HD and spin it down after boot.  Leaf runs off of
a RAM disk, addressing your concern about the HD...

- Bob

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Chris
Mason (Lists)
Sent: Friday, January 27, 2006 2:15 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] Advice please - best hardware/config to combine 3
ISPs


I want to build a robust firewall for a resort installation. The 
resort''s telephony is entirely VOIP, asterisk based. We have the 
following internet feeds:
1) 512/512 kb fixed bandwidth leased line with static IP from Telco- 
primary connection, expensive, to use for VOIP, VPN traffic, mail 
server, SSH access for remote work. Reliable.
2) 256/512 kb ADSL from Telco, not fixed IP - would want to put internal 
browsing traffic on this connection. Less reliable but inexpensive.
3) 256/256 kb Cable TV connection, static IP, not reliable, cannot be 
used for voice, would present our webcam on this external interface and 
use as backup SSH access if telco goes down.

Internally I have two types of users.
Office: Office workers, mail system, file sharing, Point of sale.
Guests: several computers for guest use, WiFi access points for guest''s
own laptops. Internet traffic is mostly browsing, IM, fetching email.


Externally I have:
VPN users accessing computers via VPN or PCAnywhere.
Mail users reading via squirrelmail
Myself accessing via SSH for maintenance.


Currently I have a M0n0wall firewall running on a Soekris 4501 for 
internet 1 which works well but does not allow me to use multiple ISPs. I
would like to replace this firewall with a Shorewall box with 4 
network interfaces.
I want to move the internal users Web Browsing traffic to ISP2 I want to
present Live Webcam on ISP3 as it tends to swamp the fixed line.

My biggest concern is that a hard drive based system might fail, leaving 
the resort without Internet and Telephony. What would your 
recommendation be for a mission critical application like this?

-- 
Chris 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Shorewall-users mailing list Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Robert K Coffman Jr - Info From Data wrote:
>Build it on Leaf Bering uClibc.  You can boot that from flash or CDROM, or
>do like I do and boot from HD and spin it down after boot.  Leaf runs off of
>a RAM disk, addressing your concern about the HD...
>
>  
>
But I think it is only shorewall 2.3 - I would want version 3. Correct 
me if I am wrong.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Am Samstag, 28. Januar 2006 02:15 schrieb Chris Mason:
> Robert K Coffman Jr - Info From Data wrote:
> >Build it on Leaf Bering uClibc.  You can boot that from flash or CDROM,
or
> >do like I do and boot from HD and spin it down after boot.  Leaf runs
off
> > of a RAM disk, addressing your concern about the HD...
>
> But I think it is only shorewall 2.3 - I would want version 3. Correct
> me if I am wrong.
shorewall 2.4.x is currently packaged with the releases.
shorewall 3.0.4 is the latest version in the "testing" section 

see:
http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:3#TESTING

hth
kp


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hello there ,

well i am an administrator of a Windows Network,
trying to built a linux based firewall in my
network,for that i have install MNF2 linuxfirewall
which uses shorewall,
now on my windows firewall i use to have reules that
allow all traffic outbound from certian MAC address on
my LAN
can i do this here, only allow a list of MAC,s address
to use my firewall to access internet?
also i need to faward some ports like 80 to internal
webserver how is that possible ?

thanks



*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
              



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hello there ,

well i am an administrator of a Windows Network,
trying to built a linux based firewall in my
network,for that i have install MNF2 linuxfirewall
which uses shorewall,
now on my windows firewall i use to have reules that
allow all traffic outbound from certian MAC address on
my LAN
can i do this here, only allow a list of MAC,s address
to use my firewall to access internet?
also i need to faward some ports like 80 to internal
webserver how is that possible ?

thanks



*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
              



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642