I'll stop being grumpy now. I was just dismayed that the docs for this are, um, more diffuse that my old LRP install.
I'd suggest that the floppy is way past it's time, and now its time to make a LRP release that assumes real storage, like a 250Meg CF card, or other solid state "disk drive". Then you can have the docs, a real editor, even a real GUI if somebody gets ambitious and codes it up. So: my REAL problem. My ISP (and my employer) gives me a block of 16 public IP addresses. xxx.xxx.xxx.16/28 xxx.xxx.xxx.17 is the pipeline xxx.xxx.xxx.18 is the WAN port on the firewall The LAN port is 192.168.1.254, for laptops, Winders boxes, other stuff without fixed address The DMZ port is xxx.xxx.xxx.16/28. The current LRP/Dachstein uses Proxy Arp (not bridging, I was mistaken, the m0n0wall does bridged firewall) so that the servers on the DMZ have some ports visible to the outside world. The shorewall docs say "use the three port example -- unless you've got multiple IPs, in which case, never mind, you'll have to read all the docs". I'm paraphrasing, obviously. This is about when I threw up my hands. I've been looking at http://www.shorewall.net/3.0/shorewall_setup_guide.htm just now, which is apparently *it* for documentation on my situation. I find it both spends too much time on beginner stuff, like "what is an IP address", and doesn't have enough examples to make it easy for that same beginner. Anyway, a concise set of example shorewall config files would be a big help. I'll be happy to write a web page describing it all for the documentation pages if anybody is interested. Thanks for reading this far, Bill Dudley On 11/4/10, Erich Titl <erich.t...@think.ch> wrote: > Hi Bill > > on 04.11.2010 20:10, wfdudley wrote: >> So the answer to my initial query appears to be that in order to configure >> a >> LEAF/Bering/Shorewall router firewall, one has to read all the man pages >> for the 30 or so configuration files, plus have a solid understanding of >> the >> particular version of ip filtering that is on that week's version of >> Linux. > > Nope, let's put it that way, you don't have this simple 2 port thingy > but you want to have some kind of a DMZ, and you want it to be > addressable by the few public addresses your ISP assigned to you. Now at > least in my corner of the world this is not your typical end user set > up. Looks a bit like mine, but that is at least part of my job. > >> >> This is obviously designed as a deterrent against having too many users. >> :-) >> I want to set up a firewall, not take a semester course in networking. >> >> If I had more knowledge of Linux networking/ip filtering/etc. I'd take the >> web >> UI from pfSense or m0n0wall and graft it on to this mess and make a REAL >> appliance firewall. Tragically, what with the job and all, that's >> unlikely. > > You actually could but mOnOwall, which I really like the design of has a > much bigger footprint than leaf. Shorewall is a powerfull tool for small > firewalls, as I said, for the bigger thingies I set up, I am using > fwbuilder, which is easy to use on LEAF. > > I am running a number of WRAP boxes and a few NSA 1125 by Nexcom, all > connected using IPSEC tunnels and performing really well. Sooner or > later I will have to replace them with ALIX boxes. > >> >> I'd be USING pfSense or m0n0wall, but their FreeBSD kernel and drivers are >> flakey with my Alix2c3, so I'm left running an ancient >> Eigerstein/Dachstein on >> a P60 desktop machine. I have a network that the cheapo Linksys/Netgear >> consumer routers won't handle, so I guess I'm stuck with my ancient LRP >> until the hardware fails. > > Naaaa, you are just grumpy because you hit a small impasse. The Alix box > is a fine little thing, and works real well, maybe if you told us about > your real probelm we might be able to help you. > > cheers > > Erich > > ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/