Re: [gentoo-user] Setting up shorewall

2017-05-28 Thread Adam Carter 
>
> I have two questions:
>
>
>
> 1. Is it feasible to have both Ethernets connect, directly or indirectly,
> to the same DSL modem/router? (Adam seemed to imply that he operates this
> way). The device is a Billion Bipac 8900AX R2, which can segregate LAN
> ports, but as far as I can see it can't assign different IP addresses to
> them.
>

What are you trying to achieve with that setup? In the general case, you
wouldn't do that.

>
>
> 2. How should I set up routing on the web server so that outgoing traffic
> from itself is routed as follows:
>
>
>
> (i) if the destination is in the 192.168.1.0/24 subnet, the packet should
> go out through enp2s0, and
>
> (ii) traffic to all other destinations goes out through enp1s0?
>


If server has an address on 192.168.1.0/24, then it has a "connected" route
automatically created by the OS, and that will be preferred over other
routes. No change required.

If the server is not directly connected to 192.168.1.0/24, then you will
need a static route to get to it. The gateway for that route will be an IP
address on a subnet that both the server and the router have an address on.
The router will also have an address on 192.168.1.0/24.


For (ii) you set the default route out that interface.

Re: [gentoo-user] Setting up shorewall

2017-05-28 Thread Peter Humphrey 
On Wednesday 29 Mar 2017 16:59:01 I wrote:

> [I have a] new web-server box [with] two Ethernet ports, which I want to
> connect as follows:
> 
> Port 1 (enp1s0) will be connected to [its own] port on my vDSL modem/
> router and be accessible from outside.
> 
> Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn
> to another port on the vDSL modem. Once the server goes into service this
> interface will be down most of the time.

I have two questions:

1.  Is it feasible to have both Ethernets connect, directly or indirectly, 
to the same DSL modem/router? (Adam seemed to imply that he operates this 
way). The device is a Billion Bipac 8900AX R2, which can segregate LAN 
ports, but as far as I can see it can't assign different IP addresses to 
them.

2.  How should I set up routing on the web server so that outgoing traffic 
from itself is routed as follows:

(i) if the destination is in the 192.168.1.0/24 subnet, the packet should 
go out through enp2s0, and
(ii)traffic to all other destinations goes out through enp1s0?

There ought to be a simple addition to /etc/conf.d/net, but I can't see 
what, even after looking through several web resources, including these:

https://wiki.gentoo.org/wiki/Handbook:AMD64/Networking/Introduction et seq
https://wiki.gentoo.org/wiki/Static_Routing.

-- 
Regards
Peter

Re: [gentoo-user] Setting up shorewall

2017-03-30 Thread Peter Humphrey 
On Thursday 30 Mar 2017 17:23:13 Adam Carter wrote:
> On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey 
> 
> wrote:
> > Hello list,
> > 
> > I've been using shorewall happily for many years, but now I have a LAN
> > setup
> > that the docs seem not to cover. The new web-server box I mentioned
> > recently
> > has two Ethernet ports, which I want to connect as follows:
> > 
> > Port 1 (enp1s0) will be connected to a spare port on my vDSL
> > modem/router
> > and be accessible from outside. An HTTP hole* will be opened in the
> > router for this.
> > 
> > Port 2 (enp2s0) is connected to my LAN switch, which is connected in
> > turn
> > to
> > another port on the vDSL modem, which has no holes open to this port.
> > Once the server goes into service this interface will be down most of
> > the time.
> > 
> > I want to ensure that no bridging occurs between the two ports in the
> > web
> > server.
> 
> The term "bridging" implies layer 2 forwarding, like what a hub or switch
> does. You have to do a little work to set that up, so it wont happen by
> accident.
> 
> Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set
> to 1. However since you're allowing connections to the webserver, any
> compromise of that webserver means that any network connected to the
> webserver is available without restriction. This is why webservers are
> typically put in a DMZ, and a firewall used to connect the outside, the
> DMZ and the inside.

Yes, I understand that last.

> For HTTPS, get a LetsEntrypt cert.

Ah! Thanks for the pointer. I'll follow it up.

> FWIW i'm running my home system pretty much the way you propose, and
> AFAICT i haven't been compromised...but there's little of value there.

A little confidence, then. Thanks for that too.

-- 
Regards
Peter

Re: [gentoo-user] Setting up shorewall

2017-03-30 Thread Adam Carter 
On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey 
wrote:

> Hello list,
>
> I've been using shorewall happily for many years, but now I have a LAN
> setup
> that the docs seem not to cover. The new web-server box I mentioned
> recently
> has two Ethernet ports, which I want to connect as follows:
>
> Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router
> and be accessible from outside. An HTTP hole* will be opened in the router
> for this.
>
> Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn
> to
> another port on the vDSL modem, which has no holes open to this port. Once
> the server goes into service this interface will be down most of the time.
>
> I want to ensure that no bridging occurs between the two ports in the web
> server.
>

The term "bridging" implies layer 2 forwarding, like what a hub or switch
does. You have to do a little work to set that up, so it wont happen by
accident.

Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set
to 1. However since you're allowing connections to the webserver, any
compromise of that webserver means that any network connected to the
webserver is available without restriction. This is why webservers are
typically put in a DMZ, and a firewall used to connect the outside, the DMZ
and the inside.

For HTTPS, get a LetsEntrypt cert.

FWIW i'm running my home system pretty much the way you propose, and AFAICT
i haven't been compromised...but there's little of value there.

[gentoo-user] Setting up shorewall

2017-03-29 Thread Peter Humphrey 
Hello list,

I've been using shorewall happily for many years, but now I have a LAN setup 
that the docs seem not to cover. The new web-server box I mentioned recently 
has two Ethernet ports, which I want to connect as follows:

Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router 
and be accessible from outside. An HTTP hole* will be opened in the router 
for this.

Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn to 
another port on the vDSL modem, which has no holes open to this port. Once 
the server goes into service this interface will be down most of the time.

I want to ensure that no bridging occurs between the two ports in the web 
server.

Shorewall has very good documentation, but I can't see an example similar to 
this; they assume that a two-homed machine is to act as a firewall, which is 
not at all what I want to do. http://shorewall.org/MultiISP.html isn't quite 
it either.

Does anyone have any tips or examples showing how to go about this? I'm 
confronted with that terrifying blank sheet of paper.

* Yes, I know I should go the whole hog and insist on HTTPS only, but that's 
another kettle of fish altogether. I prefer to think about it separately.

-- 
Regards
Peter

[gentoo-user] Setting up shorewall

2014-02-03 Thread Peter Humphrey 
Hello list,

I'm in the process of setting up shorewall on my LAN server, and 
shorewall.conf asks for the location of the tc utility. Can anyone tell me 
what this program is? Google results suggest it's a traffic control program, 
but 
what package is it in?

-- 
Regards
Peter

Re: [gentoo-user] Setting up shorewall

2014-02-03 Thread Daniel Pielmeier 
Peter Humphrey schrieb am 03.02.2014 17:56:
 Hello list,
 
 I'm in the process of setting up shorewall on my LAN server, and 
 shorewall.conf asks for the location of the tc utility. Can anyone 
 tell me what this program is? Google results suggest it's a traffic 
 control program, but what package is it in?
 

/sbin/tc in sys-apps/iproute2

found by e-file tc

/usr/bin/e-file in app-portage/pfl

-- 
Regards
Daniel



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] Setting up shorewall

2014-02-03 Thread Peter Humphrey 
On Monday 03 Feb 2014 18:02:11 Daniel Pielmeier wrote:
 Peter Humphrey schrieb am 03.02.2014 17:56:
  Hello list,
  
  I'm in the process of setting up shorewall on my LAN server, and
  shorewall.conf asks for the location of the tc utility. Can anyone
  tell me what this program is? Google results suggest it's a traffic
  control program, but what package is it in?
 
 /sbin/tc in sys-apps/iproute2
 
 found by e-file tc
 
 /usr/bin/e-file in app-portage/pfl

Thanks Daniel. Found it OK - tc that is.

-- 
Regards
Peter