[Shorewall-users] LAN server config?

Jim Hubbard jimh@xlproject.com
Mon, 28 Jan 2002 23:10:05 -0500


Tom,
I have a router at home running Shorewall doing great, and I want to
install
it on our file/web/mail server at work too.  Problem is, I can't afford
much downtime futzing around with it.  Can you recommend some Shorewall
settings?  Here are the particulars:

1. The server is behind a hardware security router/switch (Netgear
RO318) which forwards ports 80, 25, & 110 requests to it that come in
from the Internet over our RoadRunner cable modem.

2. The server has a single network card, a static ip (192.168.0.13), and
is plugged into the security router just like every other box on the
lan.

3. The server runs a webserver on port 80 and a mailserver/pop3 MTA
(both available to the internet and the lan).  For the lan, it runs
SAMBA, SWAT (port 901), and Webmin (port 10000), the last 2 only
accessible from 192.168.0.10.  The server mounts an NFS share on a Snap!
server at boot time (nightly backups are sent there).  The server needs
access to the internet to get NTP time sync info, to get RedHat updates,
and to update our IP address with DynDNS.  Everyone on the lan syncs
time to the server using the time server feature in SAMBA.

4. The lan addresses are all 192.168.0.0/24; some of them are assigned
by
the dhcp service that the security router provides, and some are
statically assigned.

The hardware router was used because at the time, it was simply a
Windoze only lan that needed access to the Internet.  Theoretically, the
router provides stateful packet inspection and protection against common
threats.  We haven't had any breaches I'm aware of (yet).  I added the
linux server later on just to play with, but now that I've got 3 ports
hanging out in the breeze, I'm concerned that the hardware router might
let something through, or that a virus could get loose on the lan and do
some damage from the inside (my users are clueless).

I realize this configuration is somewhat less than ideal.  In the
future, I plan on replacing the hardware router with a Linux system
using 3 NIC's to effectively separate Internet, LAN, and a DMZ, but for
now I need to work with what I've got.

Right now, the server has NO firewall except what is provided by the
router, so almost anything would be an improvement.  Would it help to
configure the server's single NIC to have more than 1 IP?  If so, how?

Thanks in advance for any suggestions, and thanks again for a great
piece of software.  Linux newbies like me would be lost without people
like you making it relatively easy.

Sincerely,
Jim Hubbard
jimh@dyersinc.com