[Shorewall-users] Advice needed

Tom Eastep teastep at shorewall.net
Mon Dec 8 14:47:25 PST 2003


On Mon, 2003-12-08 at 14:40, Carlos Cajina - Hotmail wrote:

> 
>     Based on Shorewall docs, I've come up with some ideas to implement the firewall:
> 
>     - The firewall box should have just one NIC since both the internal and external interfaces shouldn't be connected to the same switch in a production enviroment.
>     - I might use Aliased Interfaces to segment the current subnet beign used and filter traffic between them an to/from other LANs and the Internet.
>     - This is more a question than an idea: Is it possible to configure Shorewall as in the one-interface example, use the firewall box IP address as the gateway value for the boxes that are to be filtered, and filter local traffic by blacklisting selected IP addresses?
> 
>     I'm pretty sure that what I want to have some sort of gateway/filter. Is Shorewall suited for such a thing? If so, I'll be more than happy to read some ideas on how to do it ... in the meantime, I'll try what I've come up with so far to see what happens...
> 

What you are proposing provides no real security. The only way to
provide real security (inbound or outbound) is to place the firewall
physically between your local systems and the internet; anything else is
just security by obscurity.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list