I have shorewall 2.2.3 working right now, upgraded from a 1.4 install
performed years ago. It is running on Sarge and has worked brilliantly
for more than 3 years.
However we are planning to move to a new Foundry Super-X core router in
the coming weeks and it will greatly affect my shorewall configuration.
I have thought about this a bit and was wondering if anyone would be
willing to give me some advice.
Currently we look like this:
Internet -- Shorewall -- LAN0 -- Router1 -- LAN1
| |
| Router2 -- LAN2 etc...
|
DMZ
In total there are lets say 6 routers and about 7 zones. The shorewall
machine does the majority of the routing from zone to zone via static
routes.
We are moving to something like this:
Internet -- Shorewall -- LAN0
| |
SUPER-X
DMZ
-------------------------------------------------
| |
| | | | |
LAN1 LAN2 LAN3
LAN4 LAN5 LAN6 LAN7 etc...
However, one of the goals of this upgrade is to reduce the size of a
rather large collision domain and create about 13 more LANs so that we
will have about 19 zones in all. It looks to me like there is no way to
get around the fact that my shorewall rules and policies are about to
get a whole lot more complex.
With the super-x doing all of the internal routing except for between
internal zones and the dmz and the internet, is there a way to simplify
the shorewall configuration say by lying to shorewall about the details
of my internal subnet structure? I am referring to things like
masquerading and my zone to zone rules that are required for my current
setup.
Thanks for any help whatsoever!
Joel Staker
Network Administrator
City of Watsonville
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Joel Staker
2006-Aug-25 21:57 UTC
Re: Seeking advice prior to a complex network upgrade...
Sorry about that formatting, that second ascii diagram should look more
like this:
Internet
|
Shorewall --- DMZ
|
LAN0
|
SUPER-X ----------------------------------------
| | | | | | |
LAN1 LAN2 LAN3 LAN4 LAN5 LAN6 LAN7 etc...
>>> "Joel Staker" <JSTAKER@ci.watsonville.ca.us>
8/25/2006 2:50 PM >>>
I have shorewall 2.2.3 working right now, upgraded from a 1.4 install
performed years ago. It is running on Sarge and has worked
brilliantly
for more than 3 years.
However we are planning to move to a new Foundry Super-X core router
in
the coming weeks and it will greatly affect my shorewall configuration.
I have thought about this a bit and was wondering if anyone would be
willing to give me some advice.
Currently we look like this:
Internet -- Shorewall -- LAN0 -- Router1 -- LAN1
| |
| Router2 -- LAN2 etc...
|
DMZ
In total there are lets say 6 routers and about 7 zones. The
shorewall
machine does the majority of the routing from zone to zone via static
routes.
We are moving to something like this:
Internet -- Shorewall -- LAN0
| |
SUPER-X
DMZ
-------------------------------------------------
| |
| | | | |
LAN1 LAN2 LAN3
LAN4 LAN5 LAN6 LAN7 etc...
However, one of the goals of this upgrade is to reduce the size of a
rather large collision domain and create about 13 more LANs so that we
will have about 19 zones in all. It looks to me like there is no way
to
get around the fact that my shorewall rules and policies are about to
get a whole lot more complex.
With the super-x doing all of the internal routing except for between
internal zones and the dmz and the internet, is there a way to
simplify
the shorewall configuration say by lying to shorewall about the
details
of my internal subnet structure? I am referring to things like
masquerading and my zone to zone rules that are required for my
current
setup.
Thanks for any help whatsoever!
Joel Staker
Network Administrator
City of Watsonville
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Prasanna Krishnamoorthy
2006-Aug-26 04:34 UTC
Re: Seeking advice prior to a complex network upgrade...
Assuming that the subnet for LAN0+LAN1+LAN... and the DMZ are disjoint, you should be able to make do with FW + LAN + DMZ zones along. LAN0 = 10.0.1.0/24 LAN1 = 10.0.2.0/24 ... DMZ = 10.1.1.0/24 so LAN zone could simply be 10.0.0.0/16. and DMZ would be 10.1.1.0/24 Isn''t that ok? I''d think, since the shorewall box doesn''t actually have to route each zone, life or rather the shorewall configuration becomes simpler - you masquerade on the WAN interface on the shorewall box, and you''re done. Prasanna. On 8/26/06, Joel Staker <JSTAKER@ci.watsonville.ca.us> wrote:> Sorry about that formatting, that second ascii diagram should look more > like this: > > Internet > | > Shorewall --- DMZ > | > LAN0 > | > SUPER-X ---------------------------------------- > | | | | | | | > LAN1 LAN2 LAN3 LAN4 LAN5 LAN6 LAN7 etc... > > >>> "Joel Staker" <JSTAKER@ci.watsonville.ca.us> 8/25/2006 2:50 PM >>> > I have shorewall 2.2.3 working right now, upgraded from a 1.4 install > performed years ago. It is running on Sarge and has worked > brilliantly > for more than 3 years. > > However we are planning to move to a new Foundry Super-X core router > in > the coming weeks and it will greatly affect my shorewall configuration. > > I have thought about this a bit and was wondering if anyone would be > willing to give me some advice. > > Currently we look like this: > > Internet -- Shorewall -- LAN0 -- Router1 -- LAN1 > | | > | Router2 -- LAN2 etc... > | > DMZ > > In total there are lets say 6 routers and about 7 zones. The > shorewall > machine does the majority of the routing from zone to zone via static > routes. > > We are moving to something like this: > > Internet -- Shorewall -- LAN0 > | | > > SUPER-X > DMZ > ------------------------------------------------- > | | > > | | | | | > LAN1 LAN2 LAN3 > > LAN4 LAN5 LAN6 LAN7 etc... > > However, one of the goals of this upgrade is to reduce the size of a > rather large collision domain and create about 13 more LANs so that we > will have about 19 zones in all. It looks to me like there is no way > to > get around the fact that my shorewall rules and policies are about to > get a whole lot more complex. > > With the super-x doing all of the internal routing except for between > internal zones and the dmz and the internet, is there a way to > simplify > the shorewall configuration say by lying to shorewall about the > details > of my internal subnet structure? I am referring to things like > masquerading and my zone to zone rules that are required for my > current > setup. > > Thanks for any help whatsoever! > > Joel Staker > Network Administrator > City of Watsonville > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642