-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/4/2010 8:11 PM, wfdudley wrote:
> I'll stop being grumpy now.
>
> I was just dismayed that the docs for this are, um, more diffuse that my old
> LRP install.
>
> I'd suggest that the floppy is way past it's time, and now its time to
> make a LRP
> release that assumes real storage, like a 250Meg CF card, or other solid state
> "disk drive". Then you can have the docs, a real editor, even a real GUI if
> somebody gets ambitious and codes it up.
>
> So: my REAL problem.
>
> My ISP (and my employer) gives me a block of 16 public IP addresses.
> xxx.xxx.xxx.16/28
> xxx.xxx.xxx.17 is the pipeline
> xxx.xxx.xxx.18 is the WAN port on the firewall
> The LAN port is 192.168.1.254, for laptops, Winders boxes, other stuff
> without fixed
> address
> The DMZ port is xxx.xxx.xxx.16/28. The current LRP/Dachstein uses Proxy Arp
> (not bridging, I was mistaken, the m0n0wall does bridged firewall) so that the
> servers on the DMZ have some ports visible to the outside world.
>
> The shorewall docs say "use the three port example -- unless you've got
> multiple
> IPs, in which case, never mind, you'll have to read all the docs".
> I'm paraphrasing,
> obviously. This is about when I threw up my hands.
This is virtually identical to my setup here (one reason you probably
find the DachStein scripts easy to use...I set them up to do pretty much
exactly what you want). While I have migrated from leaf to a minimal
debian install, I still use shorewall to create and control my firewall.
Tom has made this *MUCH* easier and more flexible than the scripts I
crafted back in the *Stein days.
I believe part of your problem is you are trying to make things harder
than they really are. In my setup, I use the network setup scripts (ie:
/etc/network/interfaces and sub-scripts) to setup the basic routing,
tell shorewall to turn on the proxy-arp flag, and that's about it. The
low-level network setup is identical to what you have to do for
DachStein, you're just switching to the Shorewall scripts to craft the
ipchains/iptables rules.
To provide some concrete examples:
Use /etc/network/interfaces to bring up two ports with identical IP
address and network configuration, then use the routing tables to
control which IP addresses appear on which interfaces:
# Upstream link
auto eth0
iface eth0 inet static
address 70.184.225.178
netmask 255.255.255.240
gateway 70.184.225.177
# Proxyarp: Add specific routes to hosts on this nic
up ip route add 70.184.225.177/32 dev eth0
# DMZ
auto eth2
iface eth2 inet static
address 70.184.225.178
netmask 255.255.255.240
# Proxyarp: Add specific routes to hosts on this nic
up ip route add 70.184.225.176/29 dev eth2
up ip route add 70.184.225.184/29 dev eth2
Note there is a single host route (the /32) to the upstream gateway, and
everything else is sent to the DMZ interface. The two 'half network'
routes (/29) on the DMZ interface are to override the /28 route which
points to both interfaces and is created by default when you bring up
the interface.
Once your routing is in place, all you have to do in shorewall is add
the proxyarp flag to the interface in the interfaces file:
<snippet /etc/shorewall/interfaces>
net eth0 detect proxyarp,tcpflags,blacklist,norfc1918
loc eth1 detect dhcp
dmz eth2 detect proxyarp
</snippet>
You can now freely create shorewall rules to allow traffic through the
firewall, ie:
<snippet /etc/shorewall/rules>
ACCEPT all dmz:70.184.225.183 tcp smtp,smtps,pop-3,imap2,imaps,www
</snippet>
- --
Charles Steinkuehler
[email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzUHjoACgkQLywbqEHdNFx1LgCg6pc+tTAW+6kOLVE9Mb5DL24Z
coUAn1I+NH9Usi0Q3eHYMCPxxDNTg9wZ
=BJNV
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
