* [LARTC] Two parallel firewalls on one box
@ 2001-09-26 17:59 Philipp
0 siblings, 0 replies; 2+ messages in thread
From: Philipp @ 2001-09-26 17:59 UTC (permalink / raw)
To: lartc
Hi there!
I have been working a while with simple routing setups, such as ISDN or DSL
masqueraded to a private network, some times firewalled. Now I want to setup
a more advanced firewall, and therefore I have some basic questions:
My hardware consists of one linux box with in all five NICs, one router for
dialup DSL (dynamic IPs, does NAT) and one router for the dedicated DSL (a
range of four static IPs, does transparent routing).
What I want is to do the following:
1. Set up a firewall (with strong ruleset) in combination with bridging. All
computers behind that firewall which should be accessible from outer space
will get one of the static IPs. Therefore the firewall has to be
transparent, if my understanding so far is right. Correct me please if
that's wrong. Input on the first NIC, output to the second, which is
connected to the 'DMZ' hub.
2. Have a second firewall (with a bit more friendly ruleset :-) that
features port/content/whatever based routing to make use of both subscriber
lines, based on which connection is more suitable for the specific purpose.
Input on the third NIC, output to the fourth, which is connected to the
'Intranet' switch.
3. In the near future it could be that we want to use a wireless LAN
connection to join two private networks together over a distance of a stone
throw. Needs routing between the LAN interface (four) to the fifth NIC.
4. It would be nice (but not needed) if packets coming from the Intranet and
destinated for the DMZ would be routed inside the box, and not outside
between my two providers. Testing a webserver with 100 MBit is by far more
pleasant than testing it with 144 kbit ;-)
I'll try to sum this up in a drawing:
+-------------+ +-------linux--box-------+
| ADSL Router | | | +-----------------+
| dyn IP |==1 <> firewall+bridge <> 2==| DMZ Hub |=>...
+-------------+ | | +-----------------+
| ^ ?? |
+-------------+ | | +-----------------+
| SDSL Router |==3 <> firewall+routing <> 4==| Intranet switch |=>...
| 4 static IP | | ^ | +-----------------+
+-------------+ +------------5-----------+
|
+------------------+
| WLAN Transceiver |
+------------------+
And now to my questions:
1. Is it actually possible to set up two parallel working firewalls on one
box? Even if one should route (NICs need IPs) and one should be transparent?
1. I've read the bridging+firewalling howto, and all sounds very fine. But
it's quite old, and as far as I know there's no update yet. In this howto
the author writes about a special kernel patch, which swaps the firewalling
and the bridging layer of the kernel, so that filter rules would match.
Otherwise the packets pass by 'under' the firewall. Do I need this patch for
a 2.4 kernel? If no, how do I set up the kernel to handle the packets the
right way?
I hope someone read all this ;-) and many thanks for any answer!
Greetings >>>> Philipp
+--- -- -
icq 63599319
www.pealpjpain.net
- -- ---+
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] Two parallel firewalls on one box
@ 2001-10-04 16:43 Carlo
0 siblings, 0 replies; 2+ messages in thread
From: Carlo @ 2001-10-04 16:43 UTC (permalink / raw)
To: lartc
On Wed, Sep 26, 2001 at 07:59:58PM +0200, Philipp happily wrote:
> Hi there!
>
> [...]
>
> +-------------+ +-------linux--box-------+
> | ADSL Router | | | +-----------------+
> | dyn IP |==1 <> firewall+bridge <> 2==| DMZ Hub |=>...
> +-------------+ | | +-----------------+
> | ^ ?? |
> +-------------+ | | +-----------------+
> | SDSL Router |==3 <> firewall+routing <> 4==| Intranet switch |=>...
> | 4 static IP | | ^ | +-----------------+
> +-------------+ +------------5-----------+
> |
> +------------------+
> | WLAN Transceiver |
> +------------------+
>
> And now to my questions:
>
> 1. Is it actually possible to set up two parallel working firewalls on one
> box? Even if one should route (NICs need IPs) and one should be transparent?
I've actually tested a quite similar configuration on a production environment.
I had 4 nics, 1 linked to the intranet, one linked to our DMZ, one to the
server's internet connection (guaranteed bandwith, class C public IP addresses...)
and the last one to a DSL like connection for the intranet. On the firewall I
had to configure a DHCP server on the intranet side, a DHCP client on the DSL
side, and transparent firewalling for the two nics related to the servers. I got
it working pretty well using proxy_arp for transparent firewalling and
configuring two routing tables (ip route add ... table ...) with some ip rules
(ip rule add ... ). It was quite interesting to see that working since I also
had to use MASQUERADING on the DSL side for the intranet (both 10.0.0.0
networks) and SNAT to allow direct connections between the offices and the DMZ.
In a short time, I may enjoy using tc to do some bandwidth shaping (I've been
quite satisfied by it in other environments).
Ok, I just gave you some hints... if you need something more detailed, I suggest
you look at:
- the advanced-routing howto (how to you use multiple routing tables, set up
rules for ip...), don't know the exact name..
- the documentation shipped with iptables, tc and iproute2 (there should be the exact
url for the latest version of the howto I told you about somewhere around there)...
- The 'proxy_arp' web pages. I found them in google using 'proxy_arp linux' as
the search string.
I used the kernel 2.4.9 with the latest version of iptables and ip available in the
testing branch of debian (can't remember exact version). I didn't have any trouble
setting this up beshide some typos in firewalling rules and dhcp client screwing up my
routing tables during startup (solved this by putting my scripts after the
startup of dhcpcpd and using as default routing table the one I used for the intranet).
Actually proxy_arp needs one ip address in order to work, but you can make the
firewall more 'transparent' by dropping all packets in the input chain, and no,
none of your servers needs to be configured to use that ip address nor your gateways
or other network devices on the network (proxy arp works at the arp level and is
quite similar to bridging).
If anybody wants some more details, I can mail my exact configuration or provide
some additional info... feel free to mail me...
>
> 1. I've read the bridging+firewalling howto, and all sounds very fine. But
> [...]
> a 2.4 kernel? If no, how do I set up the kernel to handle the packets the
> right way?
As far as I know (I may be wrong) netfilter+bridging is not very stable on 2.4
kernels. You can look at the netfilter mailing list, but the last message I've seen
on this topic was sent around the 12 of September by someone that got it working
patching some lines in the kernel by hand (I can forward the email to you if you
want to try that way). My suggestion is not to use it in production environments
until is a little bit more tested (at least on 2.4 kernels).
--
*** bye, Carlo!
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-10-04 16:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-10-04 16:43 [LARTC] Two parallel firewalls on one box Carlo
-- strict thread matches above, loose matches on Subject: below --
2001-09-26 17:59 Philipp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox