[Shorewall-users] Advice needed

Carlos Cajina - Hotmail cecajina at hotmail.com
Mon Dec 8 16:40:00 PST 2003

Hi everyone.

    I have to set up a firewall to filter traffic between a LAN and the Internet by blacklisting local IP addresses. Current network set up is as follows:

    - There are multiple switches in the LAN connected to a router.
    - The router gives access to other corporate LANs and to the Internet.
    - The router is set up to route traffic from two different subnets from the same LAN.
    - Currently, there's only one subnet being used.
    - Every machine in the LAN (including the future firewall) is connected to a switch (could or couldn't be the same)
    - There are no filtering policies between corporate LANs.

    Based on Shorewall docs, I've come up with some ideas to implement the firewall:

    - The firewall box should have just one NIC since both the internal and external interfaces shouldn't be connected to the same switch in a production enviroment.
    - I might use Aliased Interfaces to segment the current subnet beign used and filter traffic between them an to/from other LANs and the Internet.
    - This is more a question than an idea: Is it possible to configure Shorewall as in the one-interface example, use the firewall box IP address as the gateway value for the boxes that are to be filtered, and filter local traffic by blacklisting selected IP addresses?

    I'm pretty sure that what I want to have some sort of gateway/filter. Is Shorewall suited for such a thing? If so, I'll be more than happy to read some ideas on how to do it ... in the meantime, I'll try what I've come up with so far to see what happens...

    Best regards,


More information about the Shorewall-users mailing list