[Shorewall-users] Design Problems for VPN/Transparent Firewall

dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com
Sun, 13 Jan 2002 14:13:16 -0600 (CST)


Thanks for the response.  My exact requirements are:

1.  Protecting ~124 hosts behind the device with configurable firewall rules.
2.  Allowing any given host on that protected subnet to access just about any 
given type of VPN system at a variety client sites.  (ruling out NAT, 
3.  Having the gateway/firewall act as the VPN gateway connecting three remote 
office subnets together seamlessly.
4.  Logging intrusion attempts.
5.  Ad hoc configurable rules to allow machines unfiltered access for periodic 
testing activities

If you can guide me on sound configs, or let me know if I'm on the right track, 
I'd much appreciate it.


Quoting Tom Eastep <teastep@shorewall.net>:

> On Sunday 13 January 2002 10:42 am, dgilleece@optimumnetworks.com
> wrote:
> > Hi all,
> >
> > I have been struggling some architectural trade-offs, and I've hit a
> > knowledge wall. I am trying to design one appliance that will act as
> a
> > transparent router/firewall for a /25 range of legal addresses AND
> provide
> > FreeS/WAN subnet- to-subnet tunnels for two remote networks.  Based
> upon
> > the statement in the Shorewall doc warning against using FreeS/WAN
> in
> > combination with Proxy-ARP, that solution seems to be off the table.
> The problem there is an operational one (as pointed out in the DOCs). If
> you 
> place the appropriate commands in /etc/shorewall/init and 
> /etc/shorewall/start, you should be able to get it to work. The only
> downside 
> will be that "shorewall restart" will also stop and start IPSEC.
> >
> > While attempting to configure Shorewall, I can across some things
> that
> > didn't seem sane.  Like, the fact that eth1 and eth0, while in the
> same
> > subnet, needed to be in different zones.
> They don't have to be -- If you want to define firewall rules then
> puting 
> them in separate zones makes sense though. If you don't want to define
> firewall rules then you don't need Shorewall.
> > The DSL router also shares that
> > subnet, but it is clearly not in the loc zone.  The syntax for
> defining
> > zones seems to give the ability to define single hosts (or lists
> thereof)
> > or entire subnets; but not the apparent ability to do ranges of IPs.
> That's because Netfilter doesn't give you that option either.
> What EXACTLY are your firewall requirements? From those, we can best
> advise 
> you on how to configure shorewall.
> -Tom
> -- 
> Tom Eastep    \ A Firewall for Linux 2.4.*
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users