[Shorewall-newbies] RE: Two Firewalls????

Tom Eastep teastep at shorewall.net
Thu Mar 11 08:53:48 PST 2004


On Thursday 11 March 2004 08:38 am, Kirti S. Bajwa wrote:
> What is the purpose of the lower RFC 1918 network?
>
> Sorry Tom, I am not as familiar with RFC as you are!!!

The Shorewall documentation mentions this RFC very frequently and you should 
know what it is about 
(http://shorewall.net/shorewall_setup_guide.htm#RFC1918).

> But I think I know 
> what you are asking. In our system, all servers, other than two firewall
> servers, are in DMZ. Lower network (192.168.6.x) is strictly for traffic
> between the servers. This allows me to further secure the network and have
> better performance.

So I assume that you are using Bind9 views or something similar so that the 
servers get different Name->IP translation than external clients?
>
> ------
> Are the firewall's supposed to load balance or is one a hot standby?
>
> Actually, both. In our setup, DNS1 services all the quiries coming from the
> Internet world and DNS2 is the secondary name server. For all internal
> quiries, DNS2 is the primary name server and DNS1 is the secondard name
> server. That is the reason we need firewall on both DNS1 & DNS2 servers.

Well, giving both firewalls the same internal IP address is a poor plan. Also, 
what default gateway are the servers configured with? If it is a router at 
your ISP then you might want to make the firewalls act as bridges rather than 
routers (be sure to enable STP on the bridges). If it is one of the firewalls 
then you need to implement some sort of HA mechanism for failover. A 
subscriber on the Shorewall Users list recently posted a URL to a description 
of such a setup. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list