[Shorewall-users] Optimal Setup

Tyler Davis tdavis at sonicdev.com
Wed Apr 7 11:14:47 PDT 2004

This was the exact reply I was looking for.

My testing enviroment is extremely limited, so I wasn't sure the rules would
work propery like that with multple public ip's. So it appears as long as
they are configred properly in the nat file then all outgoing traffic is
routed properly and one set of rules will work..


Tyler Davis
Sonic Development 
tdavis at sonicdev.com
Non scholae, sed vitae discimus.

-----Original Message-----
From: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-bounces at lists.shorewall.net] On Behalf Of Tom Eastep
Sent: Wednesday, April 07, 2004 12:47 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Optimal Setup

Tyler Davis wrote:
> Hi,
> I'm new to shorewall and have been playing around with it for a few 
> days and am about to deploy it.
> My network consists of 20 servers, each of them running a web/ftp 
> server and email server and each with its own public ip.
> Currently I've got all the external and internal ip's mapped in the 
> nat config file.
> So my question is, what is the best way to setup the rules cofnig file 
> and keep it clean?
> Is the best way to simply create www,ftp,email rules for each of the 
> 20 public ip's ?

Why? Are there different firewalling requirements for the different servers?
Why won't:

	ACCEPT	net	loc	tcp	www,ftp,smtp

> I also concerned about getting the rules setup properly so the 
> outgoing connections use the appropriate public IP address.

a) Do the servers really have different firewalling requirements for
outbound connections?

b) Entires in the rules file can't change the public IP address used for
outbound traffic from behind the firewall unless you use DNAT rules with an
SNAT address (which would be a riduculous thing to do in your case).

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list