Hi Alex,
Im in the same situation with a Proxmox server at a provider. First I did a
configuration similar to you but now I got 7 public IP-address and trying to
configure ProxyARP. I made my notes in a word doc
(http://www.mediafire.com/?95ewi61jv8spa1k ) to remember different settings.
Feel free to see if my notes can help you. NB! It just the first section I
got to work! The other stuff are just working material
I was following different guides on net how to configure Shorewall and
Proxmox but I cant say I understand everything in detail
Med vänlig hälsning / Best regards
Måns Åman
Riverman
Fogdev. 40
S-128 41 BAGARMOSSEN
Tel: +46 (0)8 50004424 Mob: +46 (0)76 3077101
Norge: +47 21608106 UK: +44 (0)8450045468
From: Alex Athanasopoulos [mailto:a...@melato.org]
Sent: den 28 december 2011 17:08
To: Shorewall Users
Subject: Re: [Shorewall-users] How to install Shorewall on a remote
system...
Good questions. In this case, the server runs proxmox and contains multiple
openvz containers.
I only have one public IP address and the packet filter does other things
besides being a firewall:
* It implements NAT for the containers, so they can have internet access.
* It allows me to forward different services to different containers, for
example forward SMTP traffic to a mail container, HTTP traffic to a reverse
http proxy container, etc.
* I can ssh directly from my home to any of the containers, by port
forwarding different ports to the ssh port of each container. That way I
use the hardware node less and it's less susceptible to being compromised.
* I can have a community web site in its own container, and give others
root access to it without giving them any access to the rest of the server.
My whole reason for getting this server was to host a busy community site
while keeping some of the machine for myself. Maybe this is all overkill,
but it's interesting.
Just the NAT and port-forwarding alone are worth the effort of installing
Shorewall. It took me several hours to figure this out by using iptables
alone. And since, besides these other things, Shorewall includes a
"firewall", why not use it?
So you are right, my firewall needs may not be great, but this setup allows
me to be a bit more security oriented.
I was prompted to install Shorewall by a mail-server-setup tutorial.
Incidentally, is a setup like this trustworthy, e.g. for using one of these
containers for my private personal files, or is it "like raising foxes in
the corner of your hen house" (FAQ 2)? I personally do not trust it yet,
but I may change my mind as I get more experience.
I would also like to add, that in a home network, a modern modem-router acts
as a firewall anyway, so why would one use a second firewall on top of that?
I've logged into my home router and I see that it has quite an elaborate
iptables configuration.
-Alex
On Wed, Dec 28, 2011 at 4:36 PM, Jan Kohnert
<nospam001-li...@jankoh.dyndns.org> wrote:
Let me ask you a questtion: If you only have a rented server serving
services to the outside world, why would you intend to use a packet
filter? (Don't confuse a packet filter like IPTables with a *real*
firewall where you would have to thinkl about stuff like IDS, Proxies
and so on.)
1. Services which need to serve the outside world *cannot* be protected
by a packet filter, as you have to set the rules to ACCEPT for that
service. You have to care to the security within the service.
Yes, but the rest of the containers can be protected from these vulnerable
services.
2. Services which don't need to serve the outside world *must* *not*
listen to it, so they don't need a packet filter blocking access to
them. The packet filter just puts another layer of software around
closed ports, and as _every_ piece of software tends to have bugs,
setting up an unneeded packet filter may cause more problems than it
solves.
Since I haven't written the services that I use, I don't know exactly what
they do with my network. A packet filter is a tool to supervise these
services.
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1901 / Virus Database: 2109/4708 - Release Date: 12/28/11
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
