[Shorewall-users] AD-Filter?

Tom Eastep teastep@shorewall.net
Sat, 12 Jan 2002 13:42:56 -0800


On Saturday 12 January 2002 01:30 pm, dgilleece@optimumnetworks.com wrote=
:
> Hi all,
>
> I am in the process of setting up a firewall to protect a range of 128
> routable addresses.  They need to be routable because of this client's =
need
> to access multiple-vendor VPN systems, using both client-to-subnet
> connections and subnet- to-subnet connections, mostly in aggressive mod=
e;
> thus, likely to be broken by NAT.  The documentation and my web searche=
s
> have shown little in they way of example configurations, and not much
> general discussion on the approach.  I realize the NAT'd private addres=
s
> approach is more prevalent, but I'd appreciate some background perspect=
ive
> from anyone has implemented such a setup.
>
> My questions:
>
> 1.  Are there any example configurations around for this type of setup?

I don't have one since I use NAT and Proxy ARP.

> 2.  Is the implementation simply a matter of leaving the NAT settings o=
ff
> and supplying the proper internal range?

Yes -- plus, never use "all" in the ADDRESS column in your=20
/etc/shorewall/rules file.

> 3.  Are any additional/different rules necessary or advisable in such a
> system?

Not really -- Shorewall doesn't assume a MASQ or NAT environment so if yo=
u=20
don't specify NAT it doesn't happen.=20

4.  Any other issues a relative newcomer should be aware of, or
> background docs anyone might point me to?
>

Not that I can think of.
-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------