[Shorewall-users] Design Problems for VPN/Transparent Firewall

dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com
Sun, 13 Jan 2002 14:29:30 -0600 (CST)


Quoting Tom Eastep <teastep@shorewall.net>:

> Ok -- what function does your DSL router play?

The DSL router currently passes all traffic to a network switch, through which 
all hosts currently access the internet directly --- using only local security 
measures (personal firewall, ipchains, etc.)

> - From your ISP's point of view, does it act as the gateway to your /25
> 
> network?
Yes. 

 - Does it physically interface to the phone line or is there a "dsl
> modem" 
> outbound of it?
Not sure what you mean here.  It is a Cisco 678, connected to a dedicated (non-
shared "dry pair") business circuit.  LAN-side, it is attached to a workgroup 
switch.

> 2.  Allowing any given host on that protected subnet to access just
> > about any given type of VPN system at a variety client sites.  (ruling
> out
> > NAT, necessarily)
> 
> That's a routing requirement, not a firewall requirement.
By "allowing" I mean not interfering with "aggressive" VPN connections -- which 
NAT firewalls hose.

> > 3.  Having the gateway/firewall act as the VPN gateway connecting
> three
> > remote office subnets together seamlessly.

> Ditto.
Given my intent to create an simple (relative term here) appliance that does 
both VPN management and filtering, I am concerned the two applications don't 
make life difficult for each other -- I wasn't sure if your comments in the doc 
would be show-stoppers...


> 
> Let's answer the questions about the DSL router first then I'll give you
> my 
> thoughts.

I am looking forward to them :)

Thanks for helping,

Dan