Shorewall users - Jun 2009 - External Aliases Configuration

Hello,



I have a question.


I''ll configure a new Shorewall, but this time, I''ll use a DSL
modem with
PPPoE.

1. The DSL modem is connected on eth0
2. I have 16 publics IPs, and need to use 6 IPs. (eth0:1 ~ eth0:6)

After connect with PPPoE conenction , my external interface is ppp0.

How I need to configure properly my interfaces and zone files?



Thanks for help.


Best regards,
Watanabe Anderson.



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Watanabe Anderson wrote:
> Hello,
> 
> 
> 
> I have a question.
> 
> 
> I''ll configure a new Shorewall, but this time, I''ll use a
DSL modem with
> PPPoE.
> 
> 1. The DSL modem is connected on eth0
> 2. I have 16 publics IPs, and need to use 6 IPs. (eth0:1 ~ eth0:6)
I think that you will just confuse yourself by assigning the IP
addresses to eth0 since no IP traffic will ever go through eth0. Why do
you want to add them to your firewall at all? Your ISP must route all of
these addresses through the PPP no matter if you add them to your
firewall or not. So there is really no point in defining them on the
firewall.

The only reason that you add additional addresses to an interface is so
that your system will respond to ARP requests for those addresses; with
PPP, there is no ARP.
> 
> After connect with PPPoE conenction , my external interface is ppp0.
> 
> How I need to configure properly my interfaces and zone files?
Simply think of those addresses as being automatically added on ppp0.
They won''t be configured that way but from a Shorewall point of view,
but that doesn''t matter.

eth0 does not exist at all, as far as Shorewall is concerned (unless you
have added an IP address to it to be able to access the web server in
the modem; but that''s a different matter).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Tom Eastep wrote:
> Watanabe Anderson wrote:
>> Hello,
>>
>>
>>
>> I have a question.
>>
>>
>> I''ll configure a new Shorewall, but this time, I''ll
use a DSL modem with
>> PPPoE.
>>
>> 1. The DSL modem is connected on eth0
>> 2. I have 16 publics IPs, and need to use 6 IPs. (eth0:1 ~ eth0:6)
> 
> I think that you will just confuse yourself by assigning the IP
> addresses to eth0 since no IP traffic will ever go through eth0. Why do
> you want to add them to your firewall at all? Your ISP must route all of
> these addresses through the PPP no matter if you add them to your
> firewall or not. So there is really no point in defining them on the
> firewall.
> 
> The only reason that you add additional addresses to an interface is so
> that your system will respond to ARP requests for those addresses; with
> PPP, there is no ARP.
Actually, there is another reason -- you may want to have applications
running on the firewall bind to one of those addresses. If that is the
case in your environment, I would add them to another interface besides
eth0 -- possibly lo or even a dummy interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Tom,


For example,

My ppp0 interface always receive the same ip adrress. I have a 16 ip 
avaliables.

My first IP is 61.x.y.72 (at ppp0)

I need to creat a DNAT rule, using the ip 61.x.y.73 and 61.x.y.74,  and my 
rules bellow is correct?

#ACTION  SOURCE     DEST            PROTO   DEST    SOURCE  ORIGINAL
# 
PORT    PORT(S) DEST
DNAT            net            loc:10.0.0.11:80    tcp    80            - 
61.x.y.73
DNAT            net            loc:10.0.0.21:80    tcp    80            - 
61.x.y.74


I''m sorry if my question is easily resolved, but as you said,
I''m confused.


Thnaks a lot.

Watanabe Anderson.


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Sunday, June 07, 2009 12:06 AM
Subject: Re: [Shorewall-users] External Aliases Configuration

>
------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> looking to deploy the next generation of Solaris that includes the latest
> innovations from Sun and the OpenSource community. Download a copy and
> enjoy capabilities such as Networking, Storage and Virtualization.
> Go to: http://p.sf.net/sfu/opensolaris-get

> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Watanabe Anderson wrote:
> Tom,
> 
> 
> For example,
> 
> My ppp0 interface always receive the same ip adrress. I have a 16 ip 
> avaliables.
> 
> My first IP is 61.x.y.72 (at ppp0)
> 
> I need to creat a DNAT rule, using the ip 61.x.y.73 and 61.x.y.74,  and my 
> rules bellow is correct?
> 
> #ACTION  SOURCE     DEST            PROTO   DEST    SOURCE  ORIGINAL
> # 
> PORT    PORT(S) DEST
> DNAT            net            loc:10.0.0.11:80    tcp    80            - 
> 61.x.y.73
> DNAT            net            loc:10.0.0.21:80    tcp    80            - 
> 61.x.y.74
> 
> 
> I''m sorry if my question is easily resolved, but as you said,
I''m confused.
Your rules appear to be correct.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects