[Shorewall-newbies] Migrating a firewall from old hardware to new
chris1 at psyctc.org
Sat Mar 6 12:51:51 PST 2004
Not sure if this is "newbie" or not. Let's start here.
I've been running shorewall (1.2.12) on Debian stable in a pretty
typical three NIC setup. It sits behind an ADSL router (British
Telecom's four port "Model 5861, part #: 120-5861-003" standard -
don't know what it "really" is.) and it takes an IP address
126.96.36.199 in the range they gave me (which also gave me network
on 192, netmask 255.255.255.248) and gateway on 188.8.131.52.
On eth1 it serves up the local network currently of two portables
plugging in windoze (sorry) when my wife and I are home and using
192.168.1.0 ... and on eth2 it was using proxyarp to serve up a linux
server (psyctc.org 184.108.40.206) that runs Email lists for
charities and a web server.
All went fine for two years: I'd like to get IRC and a few other
things like secure tunnelling that I didn't think I could with this
setup, but basically that didn't really matter that much so I left it
running. All my hardware is ancient and noisy and I'd like to feel
safer and hear good music again in the study so I bought a nice quiet
little box with VIA EPIA CL2000 motherboard with two NICs on, put a
dirt cheap PCI NIC in the one free slot and set about configuring it
for RAID etc. It's turned out to be a nightmare for various silly
reasons but all that sorted and I finally came to the shorewall
migrate which I thought would be trivial ... and yesterday it
completely beat me and revealed that I don't really understand
networking. ... After a serous drink and some scowling at the cat
last night I've told myself that the old machine will limp on for a
week or two and I need to understand and ask stupid questions until I
feel I understand. Here I go:
Probably the first mistake I made was to move to Shorewall 1.4.8 from
the Debian backports (the post in the shorewall list archives, and
perhaps the FAQ, has only a partial solution with a single line
addition to /etc/apt/sources.list:
deb http://security.dsi.unimi.it/~lorenzo/debian ./
That fails against Debian 3.0r2 (a.k.a. "stable" = Woody) as the
version of iptables isn't high enough. You need:
So what works for me in the UK is:
# for shorewall:
deb http://www.uk.backports.org/debian stable shorewall
# for iptables:
deb http://www.uk.backports.org/debian stable shorewall iptables
So my first question (yes, I have been through the sequence of
changes in the FAQ) is:
what is likely to have be changed in my config files?
And my other question is more basic:
I _think_ I did a pretty accurate transfer following those
instructions and basically the loc network was crawling accessing the
dmz and the dmz wasn't getting returns from the net. Am I right in
thinking that's probably about proxyarp and arp cache issues and if
so, are the arp maps in the router and likely to clear if I power it
down for a minute or two, or are they at BT somewhere?
And my final question is:
Am I better ditching proxyarp and going for SNAT/DNAT combination for
both loc and the dmz?
Sorry this is so long and perhaps so dumb. I'm happy to take answers
and questions over the whole of the next week as I'll be buried in my
"real" job, not able to try things out at all.
TIA (and huge thanks Tom for a brilliant pieces of s'ware!),
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris at psyctc.org
More information about the Shorewall-newbies