[Shorewall-users] Design Problems for VPN/Transparent Firewall

Tom Eastep teastep@shorewall.net
Sun, 13 Jan 2002 11:54:09 -0800


On Sunday 13 January 2002 10:42 am, dgilleece@optimumnetworks.com wrote:
> Hi all,
>
> I have been struggling some architectural trade-offs, and I've hit a
> knowledge wall. I am trying to design one appliance that will act as a
> transparent router/firewall for a /25 range of legal addresses AND prov=
ide
> FreeS/WAN subnet- to-subnet tunnels for two remote networks.  Based upo=
n
> the statement in the Shorewall doc warning against using FreeS/WAN in
> combination with Proxy-ARP, that solution seems to be off the table.

The problem there is an operational one (as pointed out in the DOCs). If =
you=20
place the appropriate commands in /etc/shorewall/init and=20
/etc/shorewall/start, you should be able to get it to work. The only down=
side=20
will be that "shorewall restart" will also stop and start IPSEC.

>
> While attempting to configure Shorewall, I can across some things that
> didn't seem sane.  Like, the fact that eth1 and eth0, while in the same
> subnet, needed to be in different zones.

They don't have to be -- If you want to define firewall rules then puting=
=20
them in separate zones makes sense though. If you don't want to define=20
firewall rules then you don't need Shorewall.

> The DSL router also shares that
> subnet, but it is clearly not in the loc zone.  The syntax for defining
> zones seems to give the ability to define single hosts (or lists thereo=
f)
> or entire subnets; but not the apparent ability to do ranges of IPs.

That's because Netfilter doesn't give you that option either.

What EXACTLY are your firewall requirements? From those, we can best advi=
se=20
you on how to configure shorewall.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net