[Shorewall-users] Firewall config

Arjun Kaul arjun_kaul007 at hotmail.com
Sat Oct 4 20:20:50 PDT 2003


Hi! I have recently implemented a 3 interface shorewall firewall in my web
application. It was a breeze to setup thanks to Tom and the extensive
documentation. I am using ProxyARP since it was easy to setup and preferred
by Tom. So far there have not been any performance problems. I have 2
servers in the DMZ with public IP's and which are win2k servers, one of them
running the application server which opens a lot of software ports to the
world besides 80,443 and 25. The application server needs to be
communicating with a SQL 2000 DB constantly via ODBC which is in the LOC
zone.

Thanks to the various options available, I have managed to keep the accesses
really tight in terms of terminal services etc.

But, I was wondering if there was a inherent flaw in my Design by keeping
the Application server in the DMZ, since if it gets compromised there is a
direct connection from it to the LOC zone.

Secondly, I am wondering if it would be better to use DNAT rather than
direct connections between zones e.g.

DNAT        dmz            loc:192.168.0.5:1433     tcp     6500

or

ACCEPT    dmz            loc                                tcp     1433

The advantage with the former is that I can deny all incoming connections
from DMZ to LOC zone and Only allow connections through the firewall. But
would there be any performance considerations with the former.

OR

Is it in the best interest to put the application server from the DMZ to the
LOC zone and use DNAT for all incoming requests on the firewall to go to the
application server, but would performance be hindered by doing that.  I have
applied all the patches/fixes on the Windows boxes but am not sure about the
application specific ports as the software is a third party's.

The firewall runs Redhat 9.0 and a custom compiled monolithic kernel 2.4.22
and shorewall 1.4.6c. Hardware is 512MB RAM on a P4 1.7Ghz

Thanks in advance for any suggestions/comments

Regards,
Arjun


More information about the Shorewall-users mailing list