Hello, Basically, my layout is as follows. I have a ADSL Modem with DHCP assigned, I use my own DNS servers, and currently eth0 is attached to the modem. Then eth1 is attached to my local network. I used the two-interface setup and it worked great, but now I have decided to DMZ my vunerable services such as FTP/HTTP, but I do not have the resources to pay for another server and network card. So what I wish to-do is run this Operating System in a virtual guest using KVM, and then follow the three-interfaces guide as follows. So far i created a bridge for eth0 called br0, and this obtains the dhcp from the ADSL modem, and the eth0 is set to manual. Now lets go back to two interface and change eth1 to br0, Lets say dont allow loc access to (net), what happens? The whole server cannot see the internet, because it is bridged through br0. The solution??? I don''t really know, thats why im mailing here to see if maybe someone can help me out with this. I have read http://www.shorewall.net/KVM.html, but it does not really help. Regards, Alex Whiteside ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Alex Whiteside wrote:> Hello, > > Basically, my layout is as follows. > > I have a ADSL Modem with DHCP assigned, I use my own DNS servers, and > currently eth0 is attached to the modem. Then eth1 is attached to my > local network. > > I used the two-interface setup and it worked great, but now I have > decided to DMZ my vunerable services such as FTP/HTTP, but I do not have > the resources to pay for another server and network card. > > So what I wish to-do is run this Operating System in a virtual guest > using KVM, and then follow the three-interfaces guide as follows. > > So far i created a bridge for eth0 called br0, and this obtains the dhcp > from the ADSL modem, and the eth0 is set to manual.Why? The most natural thing to do is to create the bridge and make the bridge the third interface. The bridge serves to connect the Virtual Machine to the Firewall.> > Now lets go back to two interface and change eth1 to br0, Lets say dont > allow loc access to (net), what happens? The whole server cannot see the > internet, because it is bridged through br0.I don''t understand that paragraph.> > The solution??? I don''t really know, thats why im mailing here to see if > maybe someone can help me out with this. > > I have read http://www.shorewall.net/KVM.html, but it does not really help.It won''t help, so long as you are hung up on bridging one of your current interfaces. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Sat, Sep 27, 2008 at 12:44 AM, Tom Eastep <teastep@shorewall.net> wrote:> Alex Whiteside wrote: > > Hello, > > > > Basically, my layout is as follows. > > > > I have a ADSL Modem with DHCP assigned, I use my own DNS servers, and > > currently eth0 is attached to the modem. Then eth1 is attached to my > > local network. > > > > I used the two-interface setup and it worked great, but now I have > > decided to DMZ my vunerable services such as FTP/HTTP, but I do not have > > the resources to pay for another server and network card. > > > > So what I wish to-do is run this Operating System in a virtual guest > > using KVM, and then follow the three-interfaces guide as follows. > > > > So far i created a bridge for eth0 called br0, and this obtains the dhcp > > from the ADSL modem, and the eth0 is set to manual. > > Why? The most natural thing to do is to create the bridge and make the > bridge the third interface. The bridge serves to connect the Virtual > Machine to the Firewall.Okay, so what you are saying is eth0 has a auto ip, and br0 is set to manual or auto? When br0 is on auto it gets the same ip as eth0. Sorry Im just a bit confused on how to approach this, maybe you can give some pointers?> > > > > > Now lets go back to two interface and change eth1 to br0, Lets say dont > > allow loc access to (net), what happens? The whole server cannot see the > > internet, because it is bridged through br0. > > I don''t understand that paragraph.Basically, for some reason, when i create a bridge br0 based on eth0, my whole internet connection wants to route through br0 instead of eth0, so therefore i cannot control this.> > > > > > The solution??? I don''t really know, thats why im mailing here to see if > > maybe someone can help me out with this. > > > > I have read http://www.shorewall.net/KVM.html, but it does not really > help. > > It won''t help, so long as you are hung up on bridging one of your > current interfaces. > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the effects of > Shoreline, \ folly is to fill the world with fools. > Washington, USA \ -- Herbert Spencer > ------------------------------------------------------------------------ > http://www.shorewall.net > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Alex Whiteside wrote:> > > On Sat, Sep 27, 2008 at 12:44 AM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > > Why? The most natural thing to do is to create the bridge and make the > bridge the third interface. The bridge serves to connect the Virtual > Machine to the Firewall. > > > Okay, so what you are saying is > > eth0 has a auto ip, and br0 is set to manual or auto? When br0 is on > auto it gets the same ip as eth0. > > Sorry Im just a bit confused on how to approach this, maybe you can give > some pointers? >I''m saying, DON''T BRIDGE eth0!> > > > > > > Now lets go back to two interface and change eth1 to br0, Lets say > dont > > allow loc access to (net), what happens? The whole server cannot > see the > > internet, because it is bridged through br0. > > I don''t understand that paragraph. > > > Basically, for some reason, when i create a bridge br0 based on eth0, my > whole internet connection wants to route through br0 instead of eth0, so > therefore i cannot control this.DON''T BRIDGE eth0. Given the reduced support for bridges in kernels 2.6.20 and later, I would not use a bridge between the internet and your KVM server. If you bridge eth0, you won''t be able to control loc->DMZ traffic separately from loc->net traffic; I don''t think you want that restriction. I would rather make the bridge a standalone bridge with an RFC 1918 address, just as I do in the Shorewall KVM article. You can then use port forwarding from eth0 to the server. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hey, Are there any guides on how to do this? Thanks in Advance On Sun, Sep 28, 2008 at 12:37 AM, Tom Eastep <teastep@shorewall.net> wrote:> Alex Whiteside wrote: > > > > > > On Sat, Sep 27, 2008 at 12:44 AM, Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net>> wrote: > > > > > > Why? The most natural thing to do is to create the bridge and make > the > > bridge the third interface. The bridge serves to connect the Virtual > > Machine to the Firewall. > > > > > > Okay, so what you are saying is > > > > eth0 has a auto ip, and br0 is set to manual or auto? When br0 is on > > auto it gets the same ip as eth0. > > > > Sorry Im just a bit confused on how to approach this, maybe you can give > > some pointers? > > > > I''m saying, DON''T BRIDGE eth0! > > > > > > > > > > > > > Now lets go back to two interface and change eth1 to br0, Lets say > > dont > > > allow loc access to (net), what happens? The whole server cannot > > see the > > > internet, because it is bridged through br0. > > > > I don''t understand that paragraph. > > > > > > Basically, for some reason, when i create a bridge br0 based on eth0, my > > whole internet connection wants to route through br0 instead of eth0, so > > therefore i cannot control this. > > DON''T BRIDGE eth0. > > Given the reduced support for bridges in kernels 2.6.20 and later, I > would not use a bridge between the internet and your KVM server. If you > bridge eth0, you won''t be able to control loc->DMZ traffic separately > from loc->net traffic; I don''t think you want that restriction. I would > rather make the bridge a standalone bridge with an RFC 1918 address, > just as I do in the Shorewall KVM article. You can then use port > forwarding from eth0 to the server. > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the effects of > Shoreline, \ folly is to fill the world with fools. > Washington, USA \ -- Herbert Spencer > ------------------------------------------------------------------------ > http://www.shorewall.net > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Alex Whiteside wrote:> Hey, > > Are there any guides on how to do this? >It''s a common garden-variety three-interface firewall (http://www.shorewall.net/three-interface.htm)! The DMZ interface is the bridge, set up using the script which you can find by reading http://www.shorewall.net/KVM.html. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Alex Whiteside wrote: >> Hey, >> >> Are there any guides on how to do this? >> > > It''s a common garden-variety three-interface firewall > (http://www.shorewall.net/three-interface.htm)! The DMZ interface is the > bridge, set up using the script which you can find by reading > http://www.shorewall.net/KVM.html.And as with all bridges, be sure to set the ''routeback'' option on your bridge. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/