Charles, Thanks for this. I didn't expect to get an answer from the author of Dachstein etc.
I'll let all know how I fare. Bill Dudley On 11/5/10, Charles Steinkuehler <char...@steinkuehler.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/4/2010 8:11 PM, wfdudley wrote: >> I'll stop being grumpy now. >> >> I was just dismayed that the docs for this are, um, more diffuse that my >> old >> LRP install. >> >> I'd suggest that the floppy is way past it's time, and now its time to >> make a LRP >> release that assumes real storage, like a 250Meg CF card, or other solid >> state >> "disk drive". Then you can have the docs, a real editor, even a real GUI >> if >> somebody gets ambitious and codes it up. >> >> So: my REAL problem. >> >> My ISP (and my employer) gives me a block of 16 public IP addresses. >> xxx.xxx.xxx.16/28 >> xxx.xxx.xxx.17 is the pipeline >> xxx.xxx.xxx.18 is the WAN port on the firewall >> The LAN port is 192.168.1.254, for laptops, Winders boxes, other stuff >> without fixed >> address >> The DMZ port is xxx.xxx.xxx.16/28. The current LRP/Dachstein uses Proxy >> Arp >> (not bridging, I was mistaken, the m0n0wall does bridged firewall) so that >> the >> servers on the DMZ have some ports visible to the outside world. >> >> The shorewall docs say "use the three port example -- unless you've got >> multiple >> IPs, in which case, never mind, you'll have to read all the docs". >> I'm paraphrasing, >> obviously. This is about when I threw up my hands. > > This is virtually identical to my setup here (one reason you probably > find the DachStein scripts easy to use...I set them up to do pretty much > exactly what you want). While I have migrated from leaf to a minimal > debian install, I still use shorewall to create and control my firewall. > Tom has made this *MUCH* easier and more flexible than the scripts I > crafted back in the *Stein days. > > I believe part of your problem is you are trying to make things harder > than they really are. In my setup, I use the network setup scripts (ie: > /etc/network/interfaces and sub-scripts) to setup the basic routing, > tell shorewall to turn on the proxy-arp flag, and that's about it. The > low-level network setup is identical to what you have to do for > DachStein, you're just switching to the Shorewall scripts to craft the > ipchains/iptables rules. > > To provide some concrete examples: > > Use /etc/network/interfaces to bring up two ports with identical IP > address and network configuration, then use the routing tables to > control which IP addresses appear on which interfaces: > > # Upstream link > auto eth0 > iface eth0 inet static > address 70.184.225.178 > netmask 255.255.255.240 > gateway 70.184.225.177 > # Proxyarp: Add specific routes to hosts on this nic > up ip route add 70.184.225.177/32 dev eth0 > > # DMZ > auto eth2 > iface eth2 inet static > address 70.184.225.178 > netmask 255.255.255.240 > # Proxyarp: Add specific routes to hosts on this nic > up ip route add 70.184.225.176/29 dev eth2 > up ip route add 70.184.225.184/29 dev eth2 > > Note there is a single host route (the /32) to the upstream gateway, and > everything else is sent to the DMZ interface. The two 'half network' > routes (/29) on the DMZ interface are to override the /28 route which > points to both interfaces and is created by default when you bring up > the interface. > > Once your routing is in place, all you have to do in shorewall is add > the proxyarp flag to the interface in the interfaces file: > > <snippet /etc/shorewall/interfaces> > net eth0 detect proxyarp,tcpflags,blacklist,norfc1918 > loc eth1 detect dhcp > dmz eth2 detect proxyarp > </snippet> > > You can now freely create shorewall rules to allow traffic through the > firewall, ie: > > <snippet /etc/shorewall/rules> > ACCEPT all dmz:70.184.225.183 tcp smtp,smtps,pop-3,imap2,imaps,www > </snippet> > > - -- > Charles Steinkuehler > char...@steinkuehler.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzUHjoACgkQLywbqEHdNFx1LgCg6pc+tTAW+6kOLVE9Mb5DL24Z > coUAn1I+NH9Usi0Q3eHYMCPxxDNTg9wZ > =BJNV > -----END PGP SIGNATURE----- > ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
