Hi! I have a problem which I don''t know how to (or even if it''s possible to) solve using Shorewall. My connection to the Internet is done using an ADSL connection (using PPPoE) and I have a static IP. My ISP also routes to this address a subnet (in a different address range). I want to be able to assign the subnet IP addresses to servers in my DMZ or on my internal network (mostly for outbound traffic in that case). My normal Internet traffic from my PCs should all appear to come from the same IP (and preferrably one in my subnet, not my static IP address). I know NATting is involved (especially for the PCs an possibly what I believe is called 1:1 NAT for the servers) but I don''t know how to set it up (it''s the routed through another IP not in my subnet that confuses me the most). Before I had that subnet (actually before my old Shorewall-based firewall died) I has 3 subnets (internal network, DMZ and wifi) but and they all used a single IP address. Essentially what I want to do now is rebuild that firewall but I want to map some servers to my additionnal IP addresses. (As you can guess back then I did a lot of port forwarding rules...) I also have another question... Apart from LEAF, are there any other Linux distribution that bundles Shorewall (and other tools that might be useful on a firewall)? Is the only other choice to use a full distro and remove everything that''s not useful/dangerous to have on a firewall? (My previous firewall was running LEAF (and before that, LRP...). Thank you and have a nice day! Nick ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Nicolas Riendeau wrote:>My connection to the Internet is done using an ADSL connection (using >PPPoE) and I have a static IP. > >My ISP also routes to this address a subnet (in a different address range). > >I want to be able to assign the subnet IP addresses to servers in my DMZ >or on my internal network (mostly for outbound traffic in that case). > >My normal Internet traffic from my PCs should all appear to come from >the same IP (and preferrably one in my subnet, not my static IP address).First off, do you NEED some of your servers on public IPs to be in your internal network instead of the DMZ ? If you do, can these be dual homed ? Probably the easiest setup would be to have your DMZ using the public subnet, and then route between WAN and DMZ (no NAT involved). Obviously your firewall will use up one of your public addresses. For any devices you need to have present on the internal network, then dual home them - ie add a second NIC and connect that to your internal network. When you configure NAT, you can specify which public address is used to substitute for your internal IPs. The default (IIRC) would be to use the primary Ip of the interface specified, but it can (I think) be any IP on the machine.>I also have another question... Apart from LEAF, are there any other >Linux distribution that bundles Shorewall (and other tools that might be >useful on a firewall)? Is the only other choice to use a full distro and >remove everything that''s not useful/dangerous to have on a firewall?I use Debian for most of my machines. It''s easy to install a fairly bare machine - if you make sure all the common software collections are unselected during a basic install, you get very little (even leaving out SSH !). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi! On 7/1/2012 6:20 AM, Simon Hobson wrote:> First off, do you NEED some of your servers on public IPs to be in > your internal network instead of the DMZ ?Yes... Not doing it would only be a temporary solution that I would like to replace with what I described as soon as I could... Is the problem the way the subnet traffic is routed to me or that I want to map those IP to more than one subnet? I know we had/have servers mapped like that at work so there must be a way to do it... (OK the firewall we had/have at work were/are not Shorewall but I would be very surprised if it was able to do something Shorewall could not...) > If you do, can these be dual homed ? Dual homing them as in putting two NIC cards in them and put them on both the DMZ and internal network? Doesn''t that somehow defeat the purpose of having the two subnets?> Probably the easiest setup would be to have your DMZ using the public > subnet, and then route between WAN and DMZ (no NAT involved). > Obviously your firewall will use up one of your public addresses.There would be NAT involved for all the PCs on the internal network though, right?> For any devices you need to have present on the internal network, > then dual home them - ie add a second NIC and connect that to your > internal network.OK, looks like I had correctly understood what you said above...> > When you configure NAT, you can specify which public address is used > to substitute for your internal IPs. The default (IIRC) would be to > use the primary Ip of the interface specified, but it can (I think) > be any IP on the machine.OK...> I use Debian for most of my machines. It''s easy to install a fairly > bare machine - if you make sure all the common software collections > are unselected during a basic install, you get very little (even > leaving out SSH !).Thank you! Have a nice day! Nick ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Nicolas Riendeau wrote:> > First off, do you NEED some of your servers on public IPs to be in >> your internal network instead of the DMZ ? > >Yes... Not doing it would only be a temporary solution that I would like >to replace with what I described as soon as I could... > >Is the problem the way the subnet traffic is routed to me or that I want >to map those IP to more than one subnet? I know we had/have servers >mapped like that at work so there must be a way to do it... > >(OK the firewall we had/have at work were/are not Shorewall but I would >be very surprised if it was able to do something Shorewall could not...)Well it''s possible they used private addressing in the DMZ (it''s not an uncommon thing to do) and port-forward traffic as required. That way you can direct any public Ip to any host in any subnet - but you still get all the issues relating to using NAT. Also, at work you may well be using split-horizon DNS, or just using different names from the inside, or have the firewall set up to allow redirection of traffic from internal addresses to the external addresses handled properly (Shorewall can do this, see : http://shorewall.net/FAQ.htm#DNS-DNAT> > If you do, can these be dual homed ? > >Dual homing them as in putting two NIC cards in them and put them on >both the DMZ and internal network? Doesn''t that somehow defeat the >purpose of having the two subnets?In part - yes it defeats the security issue in that if someone gains access to one of the dual homed servers then they also get access to your internal network. But that only applies to the dual homed ones. But it''s a fact of life that security and operational requirements sometimes conflict. In extreme, you could argue that the only way to be completely secure would be to unplug all the network cables from all the devices - though that would somewhat interfere with operational needs ! With so much that relies on broadcasts to find things, it can sometimes be a pain (though seldom too difficult) to get things working.> > Probably the easiest setup would be to have your DMZ using the public >> subnet, and then route between WAN and DMZ (no NAT involved). >> Obviously your firewall will use up one of your public addresses. > >There would be NAT involved for all the PCs on the internal network >though, right?Yes, just not for the DMZ. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi! Sorry for the delayed reply... Simon Hobson wrote:> Well it''s possible they used private addressing in the DMZ (it''s not > an uncommon thing to do) and port-forward traffic as required. ThatYep the configuration I am most familiar with (I know it changed somewhat recently and I don''t have all the details) used private addressing. (It still does actually of that I am sure..)> way you can direct any public Ip to any host in any subnet - but you > still get all the issues relating to using NAT.Is that doable with Shorewall in my situation (the subnet traffic is sent to an IP which is not in that subnet and I am using PPPoE?> Also, at work you may well be using split-horizon DNS, or just usingThey were not (and as far as I know still are not) using split-horizon DNS. I was for many years their sole DNS administrator and while I would have loved to set that up they didn''t want to get into that at the time...> different names from the inside, or have the firewall set up to allow > redirection of traffic from internal addresses to the external > addresses handled properly (Shorewall can do this, see : > http://shorewall.net/FAQ.htm#DNS-DNATI could live with having different names or setting up a split-horizon DNS...>> > If you do, can these be dual homed ? >> >> Dual homing them as in putting two NIC cards in them and put them on >> both the DMZ and internal network? Doesn''t that somehow defeat the >> purpose of having the two subnets? > > In part - yes it defeats the security issue in that if someone gains > access to one of the dual homed servers then they also get access to > your internal network. But that only applies to the dual homed ones.I''m somewhat careful in what I let access my internal network... Back when my previous Shorewall based firewall was still working I had a modified its config to add another interface for wireless and the it had no access to my internal network, the only thing you could do is access the Internet (I''m not sure if I had added DMZ access).> But it''s a fact of life that security and operational requirements > sometimes conflict. In extreme, you could argue that the only way to > be completely secure would be to unplug all the network cables from > all the devices - though that would somewhat interfere with > operational needs !LOL... Thank you! Nick ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 7/7/12 10:05 AM, "Nicolas Riendeau" <knight@teksavvy.com> wrote:>Hi! > >Sorry for the delayed reply... > >Simon Hobson wrote: >> Well it''s possible they used private addressing in the DMZ (it''s not >> an uncommon thing to do) and port-forward traffic as required. That > >Yep the configuration I am most familiar with (I know it changed >somewhat recently and I don''t have all the details) used private >addressing. > >(It still does actually of that I am sure..) > >> way you can direct any public Ip to any host in any subnet - but you >> still get all the issues relating to using NAT. > >Is that doable with Shorewall in my situation (the subnet traffic is >sent to an IP which is not in that subnet and I am using PPPoE?Of course; and you don''t even have to add the subnet addresses on your firewall. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/