[Shorewall-newbies] Recommendations on shorewall setup on multiple single-int boxes

kd at source.intac.net kd at source.intac.net
Wed Dec 24 01:51:02 PST 2003


I've been spending the past few days going over the site and
documentation. I'm still not set on what I want to do since the long term
goals are not yet identified on my end. So I am here asking for some
pointers.

My setup:

3 servers with one interface(eth0) and each interface has a real routable
IP address. 

Due to some users not having static IP's and others not always having a
ipsec client available(some handhelds, and some other oddball type of
sw/hw that no ipsec client is available for), I am wondering if the best
route is to setup rules based on the mac addies of the devices used
needed to connect to these servers. 

So, do I do shorewall install on each server, with rules allowing the 40
or so devices needed to connect via mac addresses in rules, or is there
something better? My goal is only to allow these ~40 devices to connect to
these 3 servers over the Internet and drop and/or reject any other
traffic. To me this seems best choice since I know exactly what will ever
have a need to connect to these boxes and it by-passes any type of client
side issues. Thoughts?

Also, due to location of the 3 servers, and that down the road we will
most likely have a need to open them up to the world at times we can't run
one box as a dedicated fw with the other 2 behind it. Basically, how the
current setup is we need to stick with. 

Anyway, any comments or suggestions welcomed. Thanks.




More information about the Shorewall-newbies mailing list