[Shorewall-users] Advice needed

Carlos Cajina - Hotmail cecajina at hotmail.com
Mon Dec 8 17:19:25 PST 2003


Thanks A LOT for the quick answer Tom... What I'll try to do then is
(physically) place the firewall between the switches and the router and set
up Shorewall as in the two-interface example. I'll use currently active the
subnet for the internal interface and the other for the external interface.

Just out of curiosity: What do you mean by "security by obscurity"? What
would be Shorewall's behavior in a situation like the one a previously
described?

Thanks again.

    Carlos

----- Original Message ----- 
From: "Tom Eastep" <teastep at shorewall.net>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users at lists.shorewall.net>
Sent: Monday, December 08, 2003 4:47 PM
Subject: Re: [Shorewall-users] Advice needed


> On Mon, 2003-12-08 at 14:40, Carlos Cajina - Hotmail wrote:
>
> >
> >     Based on Shorewall docs, I've come up with some ideas to implement
the firewall:
> >
> >     - The firewall box should have just one NIC since both the internal
and external interfaces shouldn't be connected to the same switch in a
production enviroment.
> >     - I might use Aliased Interfaces to segment the current subnet beign
used and filter traffic between them an to/from other LANs and the Internet.
> >     - This is more a question than an idea: Is it possible to configure
Shorewall as in the one-interface example, use the firewall box IP address
as the gateway value for the boxes that are to be filtered, and filter local
traffic by blacklisting selected IP addresses?
> >
> >     I'm pretty sure that what I want to have some sort of
gateway/filter. Is Shorewall suited for such a thing? If so, I'll be more
than happy to read some ideas on how to do it ... in the meantime, I'll try
what I've come up with so far to see what happens...
> >
>
> What you are proposing provides no real security. The only way to
> provide real security (inbound or outbound) is to place the firewall
> physically between your local systems and the internet; anything else is
> just security by obscurity.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep at shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>


More information about the Shorewall-users mailing list