-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael D Schleif wrote:
| I have the following network on a T-1:
|
| network: 67.63.3.80 /28
| gateway: 67.63.3.81
| bering: 67.63.3.82
| broadcast: 67.63.3.95
|
| How can I setup Bering-uClibc/Shorewall to utilize all of the following
| addresses as DMZ:
|
| 67.63.3.83 - 67.63.3.94
|
| I have never setup a network like this before, and I am sure that I am
| missing something simple.
|
| What do you think?
I've got a similar network setup, except with DSL instead of a T1. I use
proxy-arp to split the upstream network into two DMZs. See the shorewall
docs on setting up a proxy-arp dmz firewall, and be careful with your routing.
Config file details below...some general notes on my configuration:
- - I use different IP addresses for the three public intefaces (upstream and
two DMZ IF's) due to running ipsec, which gets confused if multiple
interfaces have the same IP. If you're not running IPSec (or if they've
fixed this issue), you can give the DMZ interface(s) the same IP as your
upstream NIC, and save an IP (or two, or three :).
- - I create the routing rules required for proxy-arp via a script in the
/etc/network/if-up.d directory. You don't need a corresponding down script,
as the routes are automatically removed when the interface goes down.
- - Proxy-is arp enabled by shorewall (see interfaces file)
- - My shorewall proxy-arp file is empty (which seems counter-intuitive, but
is correct for this sort of setup).
- - I have two internal subnets (wired and wireless LAN) that are masqueraded
to all public interfaces (upstream port, two DMZs, and a (currently unused)
secondary upstream link), as well as each other.
Interesting config file snippits:
# cat /etc/network/interfaces
# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
~ address 65.16.44.210
~ masklen 28
~ broadcast +
~ gateway 65.16.44.209
auto eth1
iface eth1 inet static
~ address 10.34.1.1
~ masklen 24
~ broadcast +
auto eth2
iface eth2 inet static
~ address 65.16.44.211
~ masklen 28
~ broadcast +
auto eth3
iface eth3 inet static
~ address 65.16.44.216
~ masklen 28
~ broadcast +
auto eth4
iface eth4 inet static
~ address 216.171.153.130
~ masklen 26
~ broadcast +
auto eth5
iface eth5 inet static
~ address 192.168.0.1
~ masklen 24
~ broadcast +
tempest: -root-
# cat /etc/network/if-up.d/routes
#!/bin/sh
case "$MODE" in
start) CMD=add ;;
stop) CMD=del ;;
esac
[ "$MODE" = start ] && case "$IFACE" in
~ eth0) ;;
~ eth1) ;;
~ eth2) ip route flush dev $IFACE ;;
~ eth3) ip route flush dev $IFACE ;;
~ *) ;;
esac
case "$IFACE" in
~ eth0) ip route $CMD 65.16.44.209 dev $IFACE ;;
~ eth1) ;;
~ eth2) ip route $CMD 65.16.44.208/29 dev $IFACE ;;
~ eth3) ip route $CMD 65.16.44.216/29 dev $IFACE ;;
~ *) ;;
esac
tempest: -root-
# cat /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,norfc1918,proxyarp
loc eth1 detect
csdmz eth2 detect proxyarp
ntdmz eth3 detect proxyarp
net2 eth4 detect routefilter,norfc1918
wlan eth5 detect
txvpn ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# cat /etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
# NOTHING TO SEE HERE...MOVE ALONG
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
tempest: -root-
# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth1
eth2 eth1
eth3 eth1
eth4 eth1
eth5 eth1
eth0 eth5
eth2 eth5
eth3 eth5
eth4 eth5
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
HTH, holler with any questions...
- --
Charles Steinkuehler
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCYpX5LywbqEHdNFwRAtkhAJ9p59iKztV96487pknrZJnzUAu0vQCfWp+/
ncUBRBc+36A9/7duiSSfLTs=
=T15k
-----END PGP SIGNATURE-----
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html