Folks,
I haven''t done anything with shorewall so far, and am asking how to get
started. I want to try shorewall as the firewall on my home network,
which is fairly simple:
internet------ adsl ---- adsl router----firewall----internal net
The adsl router is a zyxel prestige 610H; the firewall is a Linux box
running Fedora 11, with exim, apache, imap, dhcp server. The internal
network uses a dns server running on the firewall but that server
doesn''t provide anything to the internet. The apache daemon serves a
couple of external websites.
There are two (more) complicating factors:
1. the adsl router is currently set up using a single NATed IP, but it
has a block of 8 allocated and I''d like to use the others. One reason I
haven''t is issues about firewalling. The other uses: as a vpn host,
possibly a mailman IP - that sort of thing.
2. the other factor is that my network is VPN linked to my parents
network (constructed similarly), currently using an openvpn routed
interface that I also want to firewall protect (so a break-in on one
side doesn''t automatically mean both sides. I''d like the
firewall on
each side to be very similarly set up (if not identical) so as to reduce
the admin. It is important that only traffic destined for the far
internal network traverses the vpn - plain net access happens as normal.
So the whole network is:
internet------ adsl ---- adsl router----firewall----internal net
|
vpn
|
internet------ adsl ---- adsl router----firewall----internal net
Given I''m a shorewall newbie, where should I start?
Thanks
Ruth
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what''s new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Fri, Aug 07, 2009 at 11:03:33PM +0100, Ruth Ivimey-Cook wrote:> Folks, > > I haven''t done anything with shorewall so far, and am asking how to get > started. I want to try shorewall as the firewall on my home network, > which is fairly simple: > > internet------ adsl ---- adsl router----firewall----internal net >Start here: http://www.shorewall.net/GettingStarted.html The "Two-interface" article is the best place to start. Do that first and get it working. Then, add things on one at a time. Make sure to test after each update/configuration change you make. That way, you will be able to tell that everything is working properly and if something doesn''t work, you know which step introduced the problem. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On 08/07/2009 03:25 PM, Roberto C. Sánchez wrote:> On Fri, Aug 07, 2009 at 11:03:33PM +0100, Ruth Ivimey-Cook wrote: >> Folks, >> >> I haven''t done anything with shorewall so far, and am asking how to get >> started. I want to try shorewall as the firewall on my home network, >> which is fairly simple: >> >> internet------ adsl ---- adsl router----firewall----internal net >> > Start here: http://www.shorewall.net/GettingStarted.html > > The "Two-interface" article is the best place to start. Do that first > and get it working. Then, add things on one at a time. Make sure to > test after each update/configuration change you make. That way, you > will be able to tell that everything is working properly and if > something doesn''t work, you know which step introduced the problem.After you get the basic two-interface configuration working, add the OpenVPN part (http://www.shorewall.net/OPENVPN.html). For advice and examples on utilizing multiple public IP addresses, then go to http://www.shorewall.net/shorewall_setup_guide.htm And as Roberto says -- do these one at a time and be sure that everything is working before advancing to the next step. Good luck, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> On 08/07/2009 03:25 PM, Roberto C. Sánchez wrote: >> On Fri, Aug 07, 2009 at 11:03:33PM +0100, Ruth Ivimey-Cook wrote: >>> Folks, >>> >>> I haven''t done anything with shorewall so far, and am asking how to get >>> started. I want to try shorewall as the firewall on my home network, >>> which is fairly simple: >>> >>> internet------ adsl ---- adsl router----firewall----internal net >>> >> Start here: http://www.shorewall.net/GettingStarted.html >> >> The "Two-interface" article is the best place to start. Do that first >> and get it working. Then, add things on one at a time. Make sure to >> test after each update/configuration change you make. That way, you >> will be able to tell that everything is working properly and if >> something doesn''t work, you know which step introduced the problem. > > After you get the basic two-interface configuration working, add the > OpenVPN part (http://www.shorewall.net/OPENVPN.html). > > For advice and examples on utilizing multiple public IP addresses, then > go to http://www.shorewall.net/shorewall_setup_guide.htm > > And as Roberto says -- do these one at a time and be sure that > everything is working before advancing to the next step.On a sidenote, I would also suggest using a versioning control system, e.g. Git or Mercurial to keep track of what ''works'' and what not, and to be able to step back to (a) working version(s) of the config files if someting breaks. It also makes it easy to take the complete configuration from one host to another. Theo ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theo van Werkhoven wrote:> > On a sidenote, I would also suggest using a versioning control system, e.g. > Git or Mercurial to keep track of what ''works'' and what not, and to be able > to step back to (a) working version(s) of the config files if someting breaks. > It also makes it easy to take the complete configuration from one host to > another. >Reading this, I thought "What an excellent suggestion -- I think I''ll do that". So I proceeded to execute the following series of commands: cd /etc/shorewall git init rm * Damn! I had intended to type: rm *~ so as not to add backup files to my shiny new Git repository. Luckily, I had recently completed a web page that detailed my setup (http://www.shorewall.net/4.4/MyNetwork.html) and I had a backup that was only a month old, so 20 minutes of copy/paste restored my configuration :-). Then: git add * git commit Ah..... - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqC6DkACgkQO/MAbZfjDLILjQCfZEVXkoaWX/bBpcQAnnN14XzI pJsAni+Y1SFVbeGYT5XeoDlXIvdc7bI8 =hf5J -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july