Thanks for the quick reply! Some more stuff below...
> * what is the best way/distro to setup a LEAF box as this kind of border
> router? (I noticed references to border_router options on the dachstain
> network.conf documentation page, but haven't been able to find any
> substantial documentation about setting one up.)
You can use Dachstein (2.2 kernel & ipchains) or Bering (2.4 kernel and iptables) to do this. Bering with iptables gets you a stateful firewall, while Dachstein/ipchains is just a packet filtering firewall.
If you use Dachstein, you can use either the border_router options (not a lot of documentation as that's something inherited from Matthew Grant's Materhorn image that I never messed with much), or a "routed" DMZ.
I have tried dachstein, and it works, but I think that was just setting it up as a straight router, basicly just forwarding everything through. Maybe it needs to be more secure than that, I dunno. Is there any documentation you can point me to about the 'border_router' option?
The only documentation I can point you to for the border_router option is the shell-script source that builds the firewall rules.
If you use Bering, the Shorewall configruation is really flexible and can easily do what you want.
I will have to have look into that some more.
> * how do I also set up the LEAF box so that it can receive VPN server
> requests on it's IP address (addrISP), but forward those requests to be
> served by another firewall server connected to the internal lan?
Why do you need to do this? The server connected to the internal lan also has a public IP, doesn't it (addrPUBB in the diagram below)? Why make life harder by natting only IPSec traffic from Server1, but not other traffic (tricky to setup and debug properly)?
Basicly because if they VPN through the router, and the client is with the same ISP, it is 'free' bandwidth, and doesn't come off monthly quotas, or get charged as access. However, if they VPN to our public network, I'm pretty sure the ISP will think it is an external address and count traffic toward quotas (they probably shouldn't, but that is way it is...). Does that make sense?
Hmm...I suspect the ISP will consider anything coming down the wire to you as bandwidth that counts towards any quota, but you'd know better than I.
There are several ways to do what you want, all of which will generally 'break' conventional firewall setups (ie: no out-of-the box solution for you...custom tweaking required). The two main options are:
1) Route internal private-IP traffic from Server1 to the firewall, and use the firewall as your IPSec gateway.
2) NAT or masquerade IPSec traffic from Server1 on the firewall.
Is there any particular reason you don't want to use the more conventional DMZ setup?:
Internet
|
firewall - public IP DMZ subnet - Servers
|
private IP
internal netThe firewall can then serve as a VPN gateway for your internal network, your servers are on a protected DMZ, and all your firewall rules are in one place (rather than split between the firewall and Server1), for easy maintanince.
#1 is a potential security risk, if your public IP network is running public servers (internal traffic is on the public IP network in the clear).
#2 is pretty straight-forward if you completely masquerade server1, but requires a more complex setup than a DMZ style setup (one machine masqueraded, everything else simply routed). If Server1 needs to run public services as well as IPSec, you'll have an even more complex setup, as you'll need to masquerade/NAT IPSec traffic from server1, but pass (route) other traffic. This is possible with linux, but it's not done often, so you'll likely have a harder time setting it up (and likely with maintainence next year, when you've forgotten how everything worked).
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
