I have been a long time Shorewall user. My company has grown it is was time to decommission many of the old servers and network devices. I was contemplating ditching Shorewall in my new network configuration. I originally bought a new Cisco all-in-on VPN/Firewall/Wireless AP product in order to consolidate many existing devices. I soon learned how undesirable that device was. The Internet forums are filled with user complaints and documented bugs with no workarounds. So this brand new device is being repurposed as a paperweight and I am turning back to my trusting Shorewall. My old Shorewall installation was actually a virtualized machine with three interfaces. I actually had the Shorewall firewall in the DMZ of my ISPs DSL modem. My initial plan for the new Shorewall installation was to have four interfaces: eth0 would be the WAN interface. I have since configured the DSL modem as a transparent bridge. My new firewall box is handling the authentication with my DSL provider via the pppoeconf package. This configuration was setup outside of Shorewall. Eventually it will be assigned as a zone in Shorewall. eth1 is planned to serve the network management devices (e.g. switches, routers, etc.) on the network. I had planned to use the 192.168.110.0/24 subnet for these devices. eth2 is planned to serve the local client devices on the network. I had planned to use the 192.168.130.0/24 subnet for these devices. eth3 is planned to serve as the DMZ with publicly available servers on the network. I had planned to use the 192.168.120.0/24 subnet for these devices. Currently, the new Shorewall machine has four physical NICs installed. I am beginning to think I can get away with just two NICs. I also recently purchased a really good Cisco managed switch and planned to implement VLANs within the network. I am thinking that if I have two physical NICs within the Shorewall machine, I can use eth0 as the WAN interface as already configured, but assign various VLAN interfaces using the raw eth1 interface. I realize this really isn''t Shorewall specific since each VLAN interface would be entered as a zone and rules configured appropriately. But I would appreciate some validation with my planned approach. Has anyone done something similar? Is my thinking with VLANs correct? I don''t have much experience with VLANs yet. Is there documentation using Shorewall in a similar setup? ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 21/04/2013 02:26, Tom Jensen wrote:> > I have been a long time Shorewall user. My company has grown it is > was time to decommission many of the old servers and network devices. > > I was contemplating ditching Shorewall in my new network > configuration. I originally bought a new Cisco all-in-on > VPN/Firewall/Wireless AP product in order to consolidate many existing > devices. I soon learned how undesirable that device was. The > Internet forums are filled with user complaints and documented bugs > with no workarounds. So this brand new device is being repurposed as > a paperweight and I am turning back to my trusting Shorewall. > > My old Shorewall installation was actually a virtualized machine with > three interfaces. I actually had the Shorewall firewall in the DMZ of > my ISPs DSL modem. > > My initial plan for the new Shorewall installation was to have four > interfaces: > > eth0 would be the WAN interface. I have since configured the DSL > modem as a transparent bridge. My new firewall box is handling the > authentication with my DSL provider via the pppoeconf package. This > configuration was setup outside of Shorewall. Eventually it will be > assigned as a zone in Shorewall. > > eth1 is planned to serve the network management devices (e.g. > switches, routers, etc.) on the network. I had planned to use the > 192.168.110.0/24 subnet for these devices. > > eth2 is planned to serve the local client devices on the network. I > had planned to use the 192.168.130.0/24 subnet for these devices. > > eth3 is planned to serve as the DMZ with publicly available servers on > the network. I had planned to use the 192.168.120.0/24 subnet for > these devices. > > Currently, the new Shorewall machine has four physical NICs installed. > I am beginning to think I can get away with just two NICs. > > I also recently purchased a really good Cisco managed switch and > planned to implement VLANs within the network. I am thinking that if > I have two physical NICs within the Shorewall machine, I can use eth0 > as the WAN interface as already configured, but assign various VLAN > interfaces using the raw eth1 interface. > > I realize this really isn''t Shorewall specific since each VLAN > interface would be entered as a zone and rules configured > appropriately. But I would appreciate some validation with my planned > approach. > > Has anyone done something similar? Is my thinking with VLANs correct? > I don''t have much experience with VLANs yet. Is there documentation > using Shorewall in a similar setup? >Hi Tom, I have done similar, including occasionally building firewalls/routers with only a single physical interface but many VLANs. The setup works great. If you have VLAN-aware managed switches then using VLANs definitely cuts down on the mess of cables and switches in your wiring closet / server room. As long as you are religious about keeping the VLANs apart (e.g. don''t bridge them somehow, by mistake or otherwise) the setup will be just as secure as not using VLANs at all. My current Shorewall box is a re-purposed Watchguard Firebox running Debian, although I''m only using 3 interfaces: one for PPPoE, one for the VLAN trunk to my switch, and another for my AP (long story). HTH, Chris -- Chris Boot bootc@bootc.net ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/21/2013 11:26 AM, Tom Jensen wrote:> ... > I realize this really isn''t Shorewall specific since each VLAN interface > would be entered as a zone and rules configured appropriately. But I > would appreciate some validation with my planned approach. > > Has anyone done something similar? Is my thinking with VLANs correct? > I don''t have much experience with VLANs yet. Is there documentation > using Shorewall in a similar setup?Hi Tom, I do something very similar with my main client at present. In fact, we''re working on putting everything in VLANs (not just internal stuff) and running the server with bonded interfaces, so that the staff at our remote offices don''t have to care which server NIC is which. They can just plug into any (or all) of the interfaces and it will work. I typically set up something like this: - VLAN 1: management - contains switch, wifi AP, and sometimes ESXi server management IPs - VLAN 10: staff - PCs, printers, staff laptops via wifi, sometimes file servers - VLAN 20: public - PCs, sometimes printers, guest wifi devices - VLAN 30: ADSL modem - PPPoE runs on this interface. In the bonded scenario i described, we would put all of the ethX interfaces into bond0 (in ALB or TLB mode, so that there''s no need for LACP on the switch), then use the bond0.VLAN interfaces as the shorewall zones (except the management VLAN, which is just bond0, and ppp0, which will be your DSL interface for the net zone). To do this, you need to make sure the server NICs are plugged into trunk ports on the Cisco switch. Switch setup for the above would be something like this: vlan 1 name mgt vlan 10 name staff vlan 20 name public vlan 30 name adsl interface GigabitEthernet1/0/1 switchport mode trunk switchport trunk native vlan 1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30 interface GigabitEthernet1/0/2 switchport mode trunk switchport trunk native vlan 1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30 ... (repeat for as many server NICs as you want) Regards, Paul ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Sat, Apr 20, 2013 at 6:26 PM, Tom Jensen < tom.jensen@digitaltoolbox-inc.com> wrote:> ** > > I have been a long time Shorewall user. My company has grown it is was > time to decommission many of the old servers and network devices. > > I was contemplating ditching Shorewall in my new network configuration. I > originally bought a new Cisco all-in-on VPN/Firewall/Wireless AP product in > order to consolidate many existing devices. I soon learned how undesirable > that device was. The Internet forums are filled with user complaints and > documented bugs with no workarounds. So this brand new device is being > repurposed as a paperweight and I am turning back to my trusting Shorewall. > > [cut] >I too am using VLAN''s quite extensively, 21 at one site, 19 at another. They simplify physical switch configuration and wiring immensely and provide excellent security for traffic on the same switch. In my scenario I have shorewall at both locations acting as firewall between all the VLAN''s, my switches do not route VLANs, but I don''t have heavy traffic utilization so this is not needed. While my servers have 2 NICs, I typically only use one. ISP''s devices are on a VLAN with only my shorewall machine so only shorewall can route traffic in/out of each ISP. Each ISP gets a VLAN. I also have multiple ISP''s at each location (2 at one location, 3 at another, with 4 accounts on one ISP). If you are starting from scratch, I''d recommend steering away from the default VLAN which is typically 1 for network devices -- at least if you are security conscious. I wasn''t aware of this coming in. This means if I don''t configure a port specifically, it''s on VLAN1 which of course is where all the network equipment resides. -- lee brown ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/21/2013 4:46 am, Chris Boot wrote:> On 21/04/2013 02:26,Tom Jensen wrote:> >> I have been a long time Shorewall user. Mycompany has grown it is was time to decommission many of the old servers and network devices. I was contemplating ditching Shorewall in my new network configuration. I originally bought a new Cisco all-in-on VPN/Firewall/Wireless AP product in order to consolidate many existing devices. I soon learned how undesirable that device was. The Internet forums are filled with user complaints and documented bugs with no workarounds. So this brand new device is being repurposed as a paperweight and I am turning back to my trusting Shorewall. My old Shorewall installation was actually a virtualized machine with three interfaces. I actually had the Shorewall firewall in the DMZ of my ISPs DSL modem. My initial plan for the new Shorewall installation was to have four interfaces: eth0 would be the WAN interface. I have since configured the DSL modem as a transparent bridge. My new firewall box is handling the authentication with my DSL provider via the pppoeconf package. This configuration was setup outside of Shorewall. Eventually it will be assigned as a zone in Shorewall. eth1 is planned to serve the network management devices (e.g. switches, routers, etc.) on the network. I had planned to use the 192.168.110.0/24 subnet for these devices. eth2 is planned to serve the local client devices on the network. I had planned to use the 192.168.130.0/24 subnet for these devices. eth3 is planned to serve as the DMZ with publicly available servers on the network. I had planned to use the 192.168.120.0/24 subnet for these devices. Currently, the new Shorewall machine has four physical NICs installed. I am beginning to think I can get away with just two NICs. I also recently purchased a really good Cisco managed switch and planned to implement VLANs within the network. I am thinking that if I have two physical NICs within the Shorewall machine, I can use eth0 as the WAN interface as already configured, but assign various VLAN interfaces using the raw eth1 interface. I realize this really isn''t Shorewall specific since each VLAN interface would be entered as a zone and rules configured appropriately. But I would appreciate some validation with my planned approach. Has anyone done something similar? Is my thinking with VLANs correct? I don''t have much experience with VLANs yet. Is there documentation using Shorewall in a similar setup?>> Hi Tom, > > I have done similar, including occasionally buildingfirewalls/routers> with only a single physical interface but manyVLANs. The setup works> great. If you have VLAN-aware managed switchesthen using VLANs> definitely cuts down on the mess of cables andswitches in your wiring> closet / server room. As long as you arereligious about keeping the> VLANs apart (e.g. don''t bridge themsomehow, by mistake or otherwise)> the setup will be just as secure asnot using VLANs at all.> > My current Shorewall box is a re-purposedWatchguard Firebox running> Debian, although I''m only using 3interfaces: one for PPPoE, one for the> VLAN trunk to my switch, andanother for my AP (long story).> > HTH, > Chris > > -- > ChrisBoot> bootc@bootc.net > >------------------------------------------------------------------------------>Precog is a next-generation analytics platform capable of advanced>analytics on semi-structured data. The platform includes APIs for building> apps and a phenomenal toolset for data science. Developerscan use> our toolset for easy data analysis & visualization. Get a freeaccount!> http://www2.precog.com/precogplatform/slashdotnewsletter[1]> _______________________________________________ > Shorewall-usersmailing list> Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users [2] Thanks to everyone who has responded. The responses confirmed that I was headed in the right direction. Implementation has been a bit of a challenge. Below is an excerpt from my /etc/network/interfaces file. I think I mentioned it before, but this is also my first attempt with a Debian box operating at the PPPoE client. That part seems to be working well, but feel free to recommend any suggested improvements or changes. # The loopback network interface auto lo iface lo inet loopback # The onboard network interface auto eth0 iface eth0 inet dhcp # The WAN interface auto dsl-provider iface dsl-provider inet ppp pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf provider dsl-provider # Default VLAN interface? auto eth1 iface eth1 inet static address 192.168.120.1 netmask 255.255.255.0 # The Management VLAN interface auto eth1.110 iface eth1.110 inet static address 192.168.110.1 netmask 255.255.255.0 I''ve read contradictory reports about the correct syntax for creating VLANs within the interfaces files. Some posts suggest using the "vlan_raw_device eth1" syntax to the interface stanza. Other posts state that is the "old" way of defining VLANs. Another complicating factor in my setup is the Cisco switch. It is a Small Business edition switch with excellent owner reviews. It is capable of running in L2 or L3 mode. I currently have it configure in L2 mode and have eth1 plugged into a port configured as a trunk port. However, on the CLI of the switch, the option to configure the switchport mode to 802.1q is not available as a valid command. With the interfaces file defined as above and eth1.110 called out as an interface within Shorewall with appropriate rules, I cannot ping or reach any services on VLAN 110. If I simply revert the interface files back to using interface eth1, everything works through Shorewall. So I believe the issue is my incorrect implementation of VLANs. Any help is appreciated. Links: ------ [1] http://www2.precog.com/precogplatform/slashdotnewsletter [2] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
I had it all configured the way I thought it had to be and it was still not working. I was configuring my new Cisco switch with the web management interface. When I finally connected on the serial port, I realized I hadn''t allowed the VLANs across the trunk ports. It was a stupid oversight on my part, but as soon as I did that, everything started working. I ultimately decided to leave my Cisco switch running in L2 mode. Someday, I may decide to configure it to run in L3. In the mean time, I was able to rip out several unnecessary switches and patch cables now that everything in on a managed switch and using VLANs. Thanks for the input. Tom On 04/21/2013 5:17 am, Paul Gear wrote:> On 04/21/2013 11:26 AM, Tom Jensen wrote: > >> ... I realize thisreally isn''t Shorewall specific since each VLAN interface would be entered as a zone and rules configured appropriately. But I would appreciate some validation with my planned approach. Has anyone done something similar? Is my thinking with VLANs correct? I don''t have much experience with VLANs yet. Is there documentation using Shorewall in a similar setup?> > Hi Tom, > > I do something very similar with mymain client at present. In fact,> we''re working on putting everythingin VLANs (not just internal stuff)> and running the server with bondedinterfaces, so that the staff at our> remote offices don''t have tocare which server NIC is which. They can> just plug into any (or all)of the interfaces and it will work.> > I typically set up somethinglike this:> > - VLAN 1: management - contains switch, wifi AP, andsometimes ESXi> server management IPs > > - VLAN 10: staff - PCs,printers, staff laptops via wifi, sometimes file> servers > > - VLAN20: public - PCs, sometimes printers, guest wifi devices> > - VLAN 30:ADSL modem - PPPoE runs on this interface.> > In the bonded scenario idescribed, we would put all of the ethX> interfaces into bond0 (in ALBor TLB mode, so that there''s no need for> LACP on the switch), thenuse the bond0.VLAN interfaces as the shorewall> zones (except themanagement VLAN, which is just bond0, and ppp0, which> will be yourDSL interface for the net zone).> > To do this, you need to make surethe server NICs are plugged into trunk> ports on the Cisco switch.Switch setup for the above would be> something like this: > > vlan1> name mgt > vlan 10 > name staff > vlan 20 > name public > vlan 30 >name adsl> interface GigabitEthernet1/0/1 > switchport mode trunk >switchport trunk native vlan 1> switchport trunk encapsulation dot1q >switchport trunk allowed vlan 10,20,30> interfaceGigabitEthernet1/0/2> switchport mode trunk > switchport trunk nativevlan 1> switchport trunk encapsulation dot1q > switchport trunk allowedvlan 10,20,30> ... (repeat for as many server NICs as you want) > >Regards,> Paul > >------------------------------------------------------------------------------>Precog is a next-generation analytics platform capable of advanced>analytics on semi-structured data. The platform includes APIs for building> apps and a phenomenal toolset for data science. Developerscan use> our toolset for easy data analysis & visualization. Get a freeaccount!> http://www2.precog.com/precogplatform/slashdotnewsletter[1]> _______________________________________________ > Shorewall-usersmailing list> Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users [2] -- Tom Jensen | President Digital Toolbox Phone | Direct 651-503-3559 Email | tom.jensen@digitaltoolbox-inc.com Links: ------ [1] http://www2.precog.com/precogplatform/slashdotnewsletter [2] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2