[Shorewall-newbies] Migrating a firewall from old hardware to new

Chris Evans chris1 at psyctc.org
Sat Mar 6 12:51:51 PST 2004

Not sure if this is "newbie" or not.  Let's start here.

I've been running shorewall (1.2.12) on Debian stable in a pretty 
typical three NIC setup.  It sits behind an ADSL router (British 
Telecom's four port "Model 5861, part #: 120-5861-003" standard - 
don't know what it "really" is.) and it takes an IP address in the range they gave me (which also gave me network 
on 192, netmask and gateway on

On eth1 it serves up the local network currently of two portables 
plugging in windoze (sorry) when my wife and I are home and using ... and on eth2 it was using proxyarp to serve up a linux 
server (psyctc.org that runs Email lists for 
charities and a web server.

All went fine for two years: I'd like to get IRC and a few other 
things like secure tunnelling that I didn't think I could with this 
setup, but basically that didn't really matter that much so I left it 
running.  All my hardware is ancient and noisy and I'd like to feel 
safer and hear good music again in the study so I bought a nice quiet 
little box with VIA EPIA CL2000 motherboard with two NICs on, put a 
dirt cheap PCI NIC in the one free slot and set about configuring it 
for RAID etc.  It's turned out to be a nightmare for various silly 
reasons but all that sorted and I finally came to the shorewall 
migrate which I thought would be trivial ... and yesterday it 
completely beat me and revealed that I don't really understand 
networking.  ... After a serous drink and some scowling at the cat 
last night I've told myself that the old machine will limp on for a 
week or two and I need to understand and ask stupid questions until I 
feel I understand.  Here I go:

Probably the first mistake I made was to move to Shorewall 1.4.8 from 
the Debian backports (the post in the shorewall list archives, and 
perhaps the FAQ, has only a partial solution with a single line 
addition to /etc/apt/sources.list:
	deb http://security.dsi.unimi.it/~lorenzo/debian ./
That fails against Debian 3.0r2 (a.k.a. "stable" = Woody) as the 
version of iptables isn't high enough. You need:

So what works for me in the UK is:
	# for shorewall:
	deb http://www.uk.backports.org/debian stable shorewall
	# for iptables:
	deb http://www.uk.backports.org/debian stable shorewall iptables

So my first question (yes, I have been through the sequence of 
changes in the FAQ) is:

what is likely to have be changed in my config files?

And my other question is more basic:
I _think_ I did a pretty accurate transfer following those 
instructions and basically the loc network was crawling accessing the 
dmz and the dmz wasn't getting returns from the net. Am I right in 
thinking that's probably about proxyarp and arp cache issues and if 
so, are the arp maps in the router and likely to clear if I power it 
down for a minute or two, or are they at BT somewhere?

And my final question is:
Am I better ditching proxyarp and going for SNAT/DNAT combination for 
both loc and the dmz?

Sorry this is so long and perhaps so dumb.  I'm happy to take answers 
and questions over the whole of the next week as I'll be buried in my 
"real" job, not able to try things out at all.

TIA (and huge thanks Tom for a brilliant pieces of s'ware!),

PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
   and Therapeutic Communities; practice, research, 
   teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris at psyctc.org

More information about the Shorewall-newbies mailing list