[Shorewall-newbies] RE: Two Firewalls????

Kirti S. Bajwa kbajwa at tib.com
Thu Mar 11 09:41:51 PST 2004


Sorry Tom:

"Well, giving both firewalls the same internal IP address is a poor plan."

My mistake. The internal IP addresses are different (see new setup).

My NEW setup:
				
					T1 to Internet Backbone	
                                      |
                                 Cisco 26XX
                                 12.21.237.1

                                      |
                        ---------------------------
				|                         |
		        12.21.237.10              12.21.237.11
                   --------------             --------------
                  | Firewall     |           | Firewall     |
                  | DNS1(NS1)    |           | DNS2(NS2)    |
                   --------------             --------------
		        192.168.21.10             192.168.21.11
				|                         |
                        ---------------------------
                             DMZ  |Hub|    DMZ 
             ---------------------------------------------
             |             |              |              |
       12.21.237.15   12.21.237.16   12.21.237.17   12.21.237.17
            rdx           mail           Web           data
       ------------   ------------   ------------   ------------  
       |  RADIUS  |   |   Mail   |   | Web/HTTP |   |   DATA   |
       |  Server  |   |   Server |   | Hosting  |   |  MySQL   |
       ------------   ------------   ------------   ------------  
       192.168.6.15   192.168.6.16   192.168.6.17   192.168.6.18
            rdxl          maill          webl          datal
             |             |              |              |
             -------------------|Hub|---------------------


If it changes your response, please let me know.

----------
So I assume that you are using Bind9 views or something similar so that the 
servers get different Name->IP translation than external clients?

Yes. 

Our design does not need any special failover procedure, hardware, etc. It
is strictly based on primary & secondary DNS servers and how they are
accessed. All traffic is always going to pass through eith P-DNS or S-DNS.
Since each DNS server has Shorewall, they are secured.

----------
Default gateway!!

We have CISCO 26XX (12.21.237.1) as a gateway. I will read about bridges
because I am not familiar with them.
----------

Thank you again for your help. If all the questions are answered, please let
me know if our design for the Shorewall firewall is workable or not?

Kirti


-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net]
Sent: Thursday, March 11, 2004 11:54 AM
To: List for New Shorewall Users; Kirti S. Bajwa
Subject: Re: [Shorewall-newbies] RE: Two Firewalls????


On Thursday 11 March 2004 08:38 am, Kirti S. Bajwa wrote:
> What is the purpose of the lower RFC 1918 network?
>
> Sorry Tom, I am not as familiar with RFC as you are!!!

The Shorewall documentation mentions this RFC very frequently and you should

know what it is about 
(http://shorewall.net/shorewall_setup_guide.htm#RFC1918).

> But I think I know 
> what you are asking. In our system, all servers, other than two firewall
> servers, are in DMZ. Lower network (192.168.6.x) is strictly for traffic
> between the servers. This allows me to further secure the network and have
> better performance.

So I assume that you are using Bind9 views or something similar so that the 
servers get different Name->IP translation than external clients?
>
> ------
> Are the firewall's supposed to load balance or is one a hot standby?
>
> Actually, both. In our setup, DNS1 services all the quiries coming from
the
> Internet world and DNS2 is the secondary name server. For all internal
> quiries, DNS2 is the primary name server and DNS1 is the secondard name
> server. That is the reason we need firewall on both DNS1 & DNS2 servers.

Well, giving both firewalls the same internal IP address is a poor plan.
Also, 
what default gateway are the servers configured with? If it is a router at 
your ISP then you might want to make the firewalls act as bridges rather
than 
routers (be sure to enable STP on the bridges). If it is one of the
firewalls 
then you need to implement some sort of HA mechanism for failover. A 
subscriber on the Shorewall Users list recently posted a URL to a
description 
of such a setup. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-newbies mailing list