[Shorewall-users] Design Problems for VPN/Transparent Firewall
Sun, 13 Jan 2002 13:01:23 -0800
On Sunday 13 January 2002 12:29 pm, email@example.com wrote:
> Quoting Tom Eastep <firstname.lastname@example.org>:
> > Ok -- what function does your DSL router play?
> The DSL router currently passes all traffic to a network switch, throug=
> which all hosts currently access the internet directly --- using only l=
> security measures (personal firewall, ipchains, etc.)
> > - From your ISP's point of view, does it act as the gateway to your /=
> > network?
> - Does it physically interface to the phone line or is there a "dsl
> > modem"
> > outbound of it?
> Not sure what you mean here. It is a Cisco 678, connected to a dedicat=
> (non- shared "dry pair") business circuit. LAN-side, it is attached to=
> workgroup switch.
Ok -- It's unfortunate that you have a router rather than just a "DSL Mod=
since your Linux box is perfectly capable of acting as a router and the=20
router is just getting in the way.
> > 2. Allowing any given host on that protected subnet to access just
> > > about any given type of VPN system at a variety client sites. (rul=
> > out
> > > NAT, necessarily)
> > That's a routing requirement, not a firewall requirement.
> By "allowing" I mean not interfering with "aggressive" VPN connections =
> which NAT firewalls hose.
> > > 3. Having the gateway/firewall act as the VPN gateway connecting
> > three
> > > remote office subnets together seamlessly.
> > Ditto.
> Given my intent to create an simple (relative term here) appliance that
> does both VPN management and filtering, I am concerned the two applicat=
> don't make life difficult for each other -- I wasn't sure if your comme=
> in the doc would be show-stoppers...
> > Let's answer the questions about the DSL router first then I'll give =
> > my
> > thoughts.
> I am looking forward to them :)
Ok. I'm assuming that eth0 is your interface to the DSL router -- if not,=
reverse eth0 and eth1.
net=09Internet=09The internet including your DSL router
loc=09Local=09=09Local including the subnetworks accessed via IPSEC VPN
<124 entries> with "Yes" in the HAVEROUTE column
The firewall will let traffic pass freely between all IPSEC interfaces an=
your local network (the "multi" allows traffic between the IPSEC interfac=
All hosts in the local zone have unlimited access to the internet. No acc=
from internet to anything.=20
You will have to code /etc/shorewall/rules to specify what connections to=
allow to/from your firewall.
Tom Eastep \ A Firewall for Linux 2.4.*
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com