On Mon, 24 Sep 2007 20:30:34 +0200, [EMAIL PROTECTED] said:
> In practise though both
> NICs will be connected to the same switch that all the computers are
> connected to.
Why? A more usual approach would be to connect the router to one NIC
and to connect the other NIC to the switch.
> Is that a risky setup in itself; is it in fact redundant to use a
> firewall behind the router?
If it's a NAT-ing router, which it probably is, then to some extent it is
redundant. However, you can have more fine-grained control on the firewall
itself. For example, if you don't forward port 22 from the router to the
firewall, no one will be able to access ssh (on the standard port). If you
do forward it, you can control which IP addresses can access ssh by using
Shorewall on the firewall.
> Do I, and can I, prevent traffic from
> passing from NIC to the other inside the computer?
Can you? Yes: Shorewall would typically have the Internet-facing NIC in
zone "net" and the switch-facing NIC in zone "loc"; whether traffic flows
between them is determined by Shorewall (the 'policy' and 'rules' files
mainly). Should you? That's up to you. If you want systems connected to
your switch to be able to access the Internet then you'd best allow
traffic to flow one NIC to the other ('loc' to 'net'). If you want to
forward some incoming connections to systems other than your firewall then
yes again.
Advice: set up the connections as specified above then read the Shorewall
Two Interface QuickStart guide. Tom's put a huge amount of effort into
writing some of the best Open Source product documentation available
anywhere. If you're going to use his software, the least you could do is
read his documentation.
Keith
--
Keith Edmunds
+---------------------------------------------------------------------+
| Tiger Computing Ltd | Helping businesses make the most of Linux |
| "The Linux Company" | http://www.tiger-computing.co.uk |
+---------------------------------------------------------------------+
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
