[Shorewall-users] Advice needed

Carlos Cajina - Hotmail cecajina at hotmail.com
Tue Dec 9 10:55:34 PST 2003


Tom:

> If your local subnet(s) use(s) public IP addresses then you probably want
to start with the Shorewall Setup
> Guide (http://www.shorewall.net/shorewall_setup_guide.htm).

>From the docs: "[...] you can configure your network [...] with one
additional twist; simply specify the 'proxyarp' option on all three firewall
interfaces in the /etc/shorewall/interfaces file."

Now, chances are that I'm not getting the whole thing right, but if I do as
stated above, the recommendation against connecting the internal and
external interface to the same hub or switch (except for testing) is still
valid?

I was planning to follow your advice about physically placing the firewall
between the switches and the router. The "thing" is, that the IP's in the
two avaliable subnetworks are all public and I'm told not to use RFC1918
addresses.

> > Just out of curiosity: What do you mean by "security by obscurity"? What
would be Shorewall's behavior in a situation like the one a previously
> > described?

>From the docs: "When an ARP request for one of the firewall/router's IP
addresses is sent by another system connected to the hub/switch, all of the
firewall's interfaces that connect to the hub/switch can respond! It is then
a race as to which "here-is" response reaches the sender first."

Sorry, I should've read a little more... but now that I've done it, have
more doubts :^)

Have a good day!


More information about the Shorewall-users mailing list