Before I go ahead and start going through your questions on this one I want to clarify is there some particular reason why you are intentionally keeping the the real IP addresses outside of the LAN, you are aware I presume that you can set up your interfaces on the servers with both a real IP address and an internal one if you wanted to, that is how I used to work it when I had my /29 set up.
On 11/03/13 07:20, [email protected] wrote: > Hi. > > I'm migrating to shorewall(6) mgmt of my various firewalls. > > Simple configs have been easy with the great docs. > > I've got a slightly more convoluted config, and have gotten 'lost' in > config'ing a SNAT/DNAT/NAT + DMZ + Xen Host/Guest set up with Static > IP/29. Having some challenges wrapping my head around the 'best' > Shorewall approach :-/ > > Here's a 1st shot at explaining what I have and what I need help with: > > I've a static x.x.x.17/29 from my ISP. > > My setup is: > > ADSL modem, bridge mode > | > | > | > Box 1 | > eth0 > Ext x.x.x.17/24, Gateway x.x.x.1 > firewall > split DNS -- listen on x.x.x.18 & 192.168.1.100 > Int 192.168.1.100/24 > eth1 > | > | > | > port 1 > GBit Switch > port 2--------------------------------port 3-------- > port(s) 4-... > | | | > Box2 | | > Box(es) 4 ... > eth0 | > eth0 > mail server, listen on 192.168.1.125 | > @ ip == 192.168.1.4 ... > | > Box 3 > eth0 > xen server > Dom0, > 192.168.1.200 > DomU #1 > 10.10.1.201, > www listen > on 80 & > 443 > > I need to ensure the following source/destination IP & port mapping for > inbound & outbound traffic: > > Svr MAIL: > net --> x.x.x.19:{25,143,587} --> > 192.168.1.100:{25,143,587} > 192.168.1.100:{25,143,587} --> x.x.x.19:{25,143,587} --> > net > > Svr DNS: > net --> x.x.x.18:53 --> 192.168.1.100:53 > 192.168.1.100:53 --> x.x.x.18:53 --> net > > Svr WWW: > net --> x.x.x.20:{80,443} --> 10.10.1.201:{80,443} > 10.10.1.201:{80,443} --> x.x.x.20:{80,443} --> net > > > and > enable ping access from net to Svr{MAIL,DNS,WWW} > enable ssh access from @ LAN Desktops 192.168.1.4 ... to > Svr{MAIL,DNS,WWW} > default/fallback outbound src ip map for all lan-originated > traffic is x.x.x.17 > > Is getting this all working 'simply' an issue of NAT? no proxy arp > required? > > Iiuc, I wouldn't use a Shorewall DMZ zone for this config, would I? > > With shorewall NAT setup, will the inbound/outbound routing -- between > the LAN segmentes AND enabling per-external-IP source mapping -- be > automatically generated? > > Thanks, > > DarylX > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
