Re: [leaf-user] Howto configure DMZ ???

Sun, 17 Apr 2005 10:00:57 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael D Schleif wrote:

| I have the following network on a T-1:
|
|     network:   67.63.3.80 /28
|     gateway:   67.63.3.81
|     bering:    67.63.3.82
|     broadcast: 67.63.3.95
|
| How can I setup Bering-uClibc/Shorewall to utilize all of the following
| addresses as DMZ:
|
|     67.63.3.83 - 67.63.3.94
|
| I have never setup a network like this before, and I am sure that I am
| missing something simple.
|
| What do you think?

I've got a similar network setup, except with DSL instead of a T1.  I use
proxy-arp to split the upstream network into two DMZs.  See the shorewall
docs on setting up a proxy-arp dmz firewall, and be careful with your routing.

Config file details below...some general notes on my configuration:

- - I use different IP addresses for the three public intefaces (upstream and
two DMZ IF's) due to running ipsec, which gets confused if multiple
interfaces have the same IP.  If you're not running IPSec (or if they've
fixed this issue), you can give the DMZ interface(s) the same IP as your
upstream NIC, and save an IP (or two, or three :).

- - I create the routing rules required for proxy-arp via a script in the
/etc/network/if-up.d directory.  You don't need a corresponding down script,
as the routes are automatically removed when the interface goes down.

- - Proxy-is arp enabled by shorewall (see interfaces file)

- - My shorewall proxy-arp file is empty (which seems counter-intuitive, but
is correct for this sort of setup).

- - I have two internal subnets (wired and wireless LAN) that are masqueraded
to all public interfaces (upstream port, two DMZs, and a (currently unused)
secondary upstream link), as well as each other.

Interesting config file snippits:

# cat /etc/network/interfaces
# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
~        address 65.16.44.210
~        masklen 28
~        broadcast +
~        gateway 65.16.44.209

auto eth1
iface eth1 inet static
~        address 10.34.1.1
~        masklen 24
~        broadcast +

auto eth2
iface eth2 inet static
~        address 65.16.44.211
~        masklen 28
~        broadcast +

auto eth3
iface eth3 inet static
~        address 65.16.44.216
~        masklen 28
~        broadcast +

auto eth4
iface eth4 inet static
~        address 216.171.153.130
~        masklen 26
~        broadcast +

auto eth5
iface eth5 inet static
~        address 192.168.0.1
~        masklen 24
~        broadcast +

tempest: -root-
# cat /etc/network/if-up.d/routes
#!/bin/sh

case "$MODE" in
start)  CMD=add ;;
stop)   CMD=del ;;
esac

[ "$MODE" = start ] && case "$IFACE" in
~        eth0)   ;;
~        eth1)   ;;
~        eth2)   ip route flush dev $IFACE ;;
~        eth3)   ip route flush dev $IFACE ;;
~        *)      ;;
esac

case "$IFACE" in
~        eth0)   ip route $CMD 65.16.44.209 dev $IFACE ;;
~        eth1)   ;;
~        eth2)   ip route $CMD 65.16.44.208/29 dev $IFACE ;;
~        eth3)   ip route $CMD 65.16.44.216/29 dev $IFACE ;;
~        *)      ;;
esac

tempest: -root-
# cat /etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    detect  routefilter,norfc1918,proxyarp
loc     eth1    detect
csdmz   eth2    detect  proxyarp
ntdmz   eth3    detect  proxyarp
net2    eth4    detect  routefilter,norfc1918
wlan    eth5    detect
txvpn   ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# cat /etc/shorewall/proxyarp
#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
# NOTHING TO SEE HERE...MOVE ALONG
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tempest: -root-
# cat /etc/shorewall/masq
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1
eth2                    eth1
eth3                    eth1
eth4                    eth1
eth5                    eth1
eth0                    eth5
eth2                    eth5
eth3                    eth5
eth4                    eth5
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

HTH, holler with any questions...

- --
Charles Steinkuehler
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCYpX5LywbqEHdNFwRAtkhAJ9p59iKztV96487pknrZJnzUAu0vQCfWp+/
ncUBRBc+36A9/7duiSSfLTs=
=T15k
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to