Shorewall users - Apr 2011 - Proxyarp vs DNAT

Hello list,

I am in the process of switching from IPCOP to Shorewall s the firewall 
for our small office.  I very much like the fact that Shorewall runs on 
top of the same OS (openSuSE 11.4) that I run on the server and my desktop.

Our setup is fairly straightforward.  We have 8 static ip addresses from 
our ISP, which provides a cable modem and a Cisco 800 series router. 
The ip addresses are routed through x.x.x.64 with a netmask of 
255.255.255.248.  The inside address of the router is x.x.x.65 and the 
external ip of the firewall is x.x.x.66.

eth0 is to the net, eth1 to the internal lan, eth2 to the DMZ

There is an internal lan of 192.168.1.0/24.  The DMZ is is 
192.168.2.0/24.  There is a virtual machine on the DMZ that serves as 
the email and web server (DMZ 1).  IPCOP routes requests to x.x.x.66 to 
that machine for the web, imap, smtp ,etc ports.  I have created two 
other virtual machines.  One to be an email server (DMZ 2), the other to 
be a web server (DMZ 3).  Both these virtual machines have addresses in 
the 192.168.2.0/24 subnet, and I use IPCOP to route requests to the 
x.x.x.67 and x.x.x.68 address to the appropriate machine.  These are set 
up for testing purposes.

I read the excellent shorewall documentation.  One of the examples fits 
our situation prety closely.  I was unfamiliar with proxyarp.  It seems 
that I could I could give the two virtual machines DMZ 2 and DMZ 3 the 
x.x.x. 67 and 68 addresses and then put the appropriate entry in the 
proxyarp file.

x.x.x.67    eth2     eth0     No
x.x.x.68    eth2     eth0     No

I would leave DMZ 1 with a private address in the 192.168.2.0/24 subnet.

Two questions.
One. For DMZ 1 should I NAT that address with x.x.x.66, the firewalls 
external address, and use an ACCEPT rule in /etc/shorewall/rules,  or 
should I skip NAT and just use a DNAT rule such as

DNAT   net   dmz:192.168.2.x    tcp    www,https,imaps,smtp,465,587

If I just use DNAT I suppose I need to use SNAT for the DMZ.  I know I 
have to use SNAT for the internal lan.

Two.  Any problem with putting my remaining two addresses in the 
proxyarp file even though there is no machine associated with the address.

Thus I would add

x.x.x.69 and x.x.x.70 to the proxyarp file.

If my approach is wrong I would be interested in hearing an approach 
that is better.  I am also curious as to whether proxyarp or DNAT is 
faster or more secure .  Not that our web server or email server gets a 
lot of traffic.

Sorry for all the questions.  Any feedback would be appreciated.

Mike


  --
Michael A. Coan
Woodlawn Foundation
524 North Avenue, Suite 203
New Rochelle, NY 10801-3410
Tel: 914-632-3778
Fax: 914-632-5502

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/15/2011 10:39 AM, mikecoan wrote:
> Hello list,
> 
> I am in the process of switching from IPCOP to Shorewall s the firewall 
> for our small office.  I very much like the fact that Shorewall runs on 
> top of the same OS (openSuSE 11.4) that I run on the server and my desktop.
> 
> Our setup is fairly straightforward.  We have 8 static ip addresses from 
> our ISP, which provides a cable modem and a Cisco 800 series router. 
> The ip addresses are routed through x.x.x.64 with a netmask of 
> 255.255.255.248.  The inside address of the router is x.x.x.65 and the 
> external ip of the firewall is x.x.x.66.
> 
> eth0 is to the net, eth1 to the internal lan, eth2 to the DMZ
> 
> There is an internal lan of 192.168.1.0/24.  The DMZ is is 
> 192.168.2.0/24.  There is a virtual machine on the DMZ that serves as 
> the email and web server (DMZ 1).  IPCOP routes requests to x.x.x.66 to 
> that machine for the web, imap, smtp ,etc ports.  I have created two 
> other virtual machines.  One to be an email server (DMZ 2), the other to 
> be a web server (DMZ 3).  Both these virtual machines have addresses in 
> the 192.168.2.0/24 subnet, and I use IPCOP to route requests to the 
> x.x.x.67 and x.x.x.68 address to the appropriate machine.  These are set 
> up for testing purposes.
> 
> I read the excellent shorewall documentation.  One of the examples fits 
> our situation prety closely.  I was unfamiliar with proxyarp.  It seems 
> that I could I could give the two virtual machines DMZ 2 and DMZ 3 the 
> x.x.x. 67 and 68 addresses and then put the appropriate entry in the 
> proxyarp file.
> 
> x.x.x.67    eth2     eth0     No
> x.x.x.68    eth2     eth0     No
> 
> I would leave DMZ 1 with a private address in the 192.168.2.0/24 subnet.
> 
> Two questions.
> One. For DMZ 1 should I NAT that address with x.x.x.66, the firewalls 
> external address, and use an ACCEPT rule in /etc/shorewall/rules,  or 
> should I skip NAT and just use a DNAT rule such as
> 
> DNAT   net   dmz:192.168.2.x    tcp    www,https,imaps,smtp,465,587
> 
> If I just use DNAT I suppose I need to use SNAT for the DMZ.  I know I 
> have to use SNAT for the internal lan.
You cannot do 1-1 NAT using the firewall''s only external IP address. So
you will have to use a combination of the DNAT rule and SNAT in
/etc/shorewall/masq.
> 
> Two.  Any problem with putting my remaining two addresses in the 
> proxyarp file even though there is no machine associated with the address.
> 
> Thus I would add
> 
> x.x.x.69 and x.x.x.70 to the proxyarp file.
> 
I don''t recommend that. The firewall will respond to ARP requests for
those addresses, then try to hairpin any connection request that
follows. If your external interface doesn''t have the
''routeback'' option,
those connection requests will generate confusing log messages.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev