Im about to test a setup here and was trying to find some info about using a 3nic Shorewall setup with 2 ip''s. I was thinking about letting all traffic on 1 ip go straight through the firewall to another firewall on the DMZ (isa 2006 to publish exchange owa) and the other ip should have the usual rules and so (already setup and running fine for the last 77 day''s). As I have not found any info about this kind of setup is just asking if this is possible with shorewall and if maybe someone have done something similar? Im not looking for a final solution here, but maybe some pointers or some do''s and don''t''s. Best regards, JoB ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
JoB wrote:> Im about to test a setup here and was trying to find some info about > using a 3nic Shorewall setup with 2 ip’s. > > I was thinking about letting all traffic on 1 ip go straight through the > firewall to another firewall on the DMZ (isa 2006 to publish exchange > owa) and the other ip should have the usual rules and so (already setup > and running fine for the last 77 day’s). > > > > As I have not found any info about this kind of setup is just asking if > this is possible with shorewall and if maybe someone have done something > similar? Im not looking for a final solution here, but maybe some > pointers or some do’s and don’t’s. >http://www.shorewall.net/shorewall_setup_guide.htm -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
JoB wrote:> Im about to test a setup here and was trying to find some info about > using a 3nic Shorewall setup with 2 ip’s. > > I was thinking about letting all traffic on 1 ip go straight through > the firewall to another firewall on the DMZ (isa 2006 to publish > exchange > owa) and the other ip should have the usual rules and so (already > setup and running fine for the last 77 day’s). > > > > As I have not found any info about this kind of setup is just asking > if this is possible with shorewall and if maybe someone have done > something similar? Im not looking for a final solution here, but maybe > some pointers or some do’s and don’t’s. >http://www.shorewall.net/shorewall_setup_guide.htm -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net Heh, there it was... I feel a bit silly now :-) I guess I needed a little push because I was not thinking all too clear, but as I see it I need to do some One-to-One NAT (tested it and it seems to work fine). Thanks! Best regards, JoB ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
JoB wrote:> Heh, there it was... I feel a bit silly now :-) I guess I needed a > little push because I was not thinking all too clear, but as I see it > I need to do some One-to-One NAT (tested it and it seems to work > fine).Please keep your reply above my .sig -- otherwise, it disappears when I reply. One-to-one NAT would not be my first choice -- I would use Proxy ARP instead. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: den 21 september 2008 22:22 To: Shorewall Users Subject: Re: [Shorewall-users] Question about 3nic''s FW with 2 ip''s JoB wrote:> Heh, there it was... I feel a bit silly now :-) I guess I needed a > little push because I was not thinking all too clear, but as I see it > I need to do some One-to-One NAT (tested it and it seems to work > fine).Please keep your reply above my .sig -- otherwise, it disappears when I reply. One-to-one NAT would not be my first choice -- I would use Proxy ARP instead. -Tom Any special reason for that? I missed to tell you that i already got a virtual webserver that is DNAT''ed behind the other ip. //-JoB -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
JoB wrote:> > -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > >> One-to-one NAT would not be my first choice -- I would use Proxy ARP instead. >> >> Any special reason for that? I missed to tell you that i already got a virtual webserver that is >> DNAT''ed behind the other ip.I just find that there are many fewer issues when servers have only one IP address rather than two. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Sun, Sep 21, 2008 at 01:59:24PM -0700, Tom Eastep wrote:> JoB wrote: > > > > -----Original Message----- > > From: Tom Eastep [mailto:teastep@shorewall.net] > > > >> One-to-one NAT would not be my first choice -- I would use Proxy ARP instead. > >> > >> Any special reason for that? I missed to tell you that i already got a virtual webserver that is > >> DNAT''ed behind the other ip. > > I just find that there are many fewer issues when servers have only one > IP address rather than two. >Not least of which is that Kerbros is problematic with multi-homed hosts. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Roberto C. Sánchez wrote:> On Sun, Sep 21, 2008 at 01:59:24PM -0700, Tom Eastep wrote: >> JoB wrote: >>> -----Original Message----- >>> From: Tom Eastep [mailto:teastep@shorewall.net] >>> >>>> One-to-one NAT would not be my first choice -- I would use Proxy ARP instead. >>>> >>>> Any special reason for that? I missed to tell you that i already got a virtual webserver that is >>>> DNAT''ed behind the other ip. >> I just find that there are many fewer issues when servers have only one >> IP address rather than two. >> > Not least of which is that Kerbros is problematic with multi-homed > hosts.This really isn''t a multi-homing issue -- rather it is a DNS issue where it is often necessary to run split DNS to keep the internal hosts from being confused about who they really are. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/