Re: [gentoo-user] Setting up shorewall
> > I have two questions: > > > > 1. Is it feasible to have both Ethernets connect, directly or indirectly, > to the same DSL modem/router? (Adam seemed to imply that he operates this > way). The device is a Billion Bipac 8900AX R2, which can segregate LAN > ports, but as far as I can see it can't assign different IP addresses to > them. > What are you trying to achieve with that setup? In the general case, you wouldn't do that. > > > 2. How should I set up routing on the web server so that outgoing traffic > from itself is routed as follows: > > > > (i) if the destination is in the 192.168.1.0/24 subnet, the packet should > go out through enp2s0, and > > (ii) traffic to all other destinations goes out through enp1s0? > If server has an address on 192.168.1.0/24, then it has a "connected" route automatically created by the OS, and that will be preferred over other routes. No change required. If the server is not directly connected to 192.168.1.0/24, then you will need a static route to get to it. The gateway for that route will be an IP address on a subnet that both the server and the router have an address on. The router will also have an address on 192.168.1.0/24. For (ii) you set the default route out that interface.
Re: [gentoo-user] Setting up shorewall
On Wednesday 29 Mar 2017 16:59:01 I wrote: > [I have a] new web-server box [with] two Ethernet ports, which I want to > connect as follows: > > Port 1 (enp1s0) will be connected to [its own] port on my vDSL modem/ > router and be accessible from outside. > > Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn > to another port on the vDSL modem. Once the server goes into service this > interface will be down most of the time. I have two questions: 1. Is it feasible to have both Ethernets connect, directly or indirectly, to the same DSL modem/router? (Adam seemed to imply that he operates this way). The device is a Billion Bipac 8900AX R2, which can segregate LAN ports, but as far as I can see it can't assign different IP addresses to them. 2. How should I set up routing on the web server so that outgoing traffic from itself is routed as follows: (i) if the destination is in the 192.168.1.0/24 subnet, the packet should go out through enp2s0, and (ii)traffic to all other destinations goes out through enp1s0? There ought to be a simple addition to /etc/conf.d/net, but I can't see what, even after looking through several web resources, including these: https://wiki.gentoo.org/wiki/Handbook:AMD64/Networking/Introduction et seq https://wiki.gentoo.org/wiki/Static_Routing. -- Regards Peter
Re: [gentoo-user] Setting up shorewall
On Thursday 30 Mar 2017 17:23:13 Adam Carter wrote: > On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey> > wrote: > > Hello list, > > > > I've been using shorewall happily for many years, but now I have a LAN > > setup > > that the docs seem not to cover. The new web-server box I mentioned > > recently > > has two Ethernet ports, which I want to connect as follows: > > > > Port 1 (enp1s0) will be connected to a spare port on my vDSL > > modem/router > > and be accessible from outside. An HTTP hole* will be opened in the > > router for this. > > > > Port 2 (enp2s0) is connected to my LAN switch, which is connected in > > turn > > to > > another port on the vDSL modem, which has no holes open to this port. > > Once the server goes into service this interface will be down most of > > the time. > > > > I want to ensure that no bridging occurs between the two ports in the > > web > > server. > > The term "bridging" implies layer 2 forwarding, like what a hub or switch > does. You have to do a little work to set that up, so it wont happen by > accident. > > Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set > to 1. However since you're allowing connections to the webserver, any > compromise of that webserver means that any network connected to the > webserver is available without restriction. This is why webservers are > typically put in a DMZ, and a firewall used to connect the outside, the > DMZ and the inside. Yes, I understand that last. > For HTTPS, get a LetsEntrypt cert. Ah! Thanks for the pointer. I'll follow it up. > FWIW i'm running my home system pretty much the way you propose, and > AFAICT i haven't been compromised...but there's little of value there. A little confidence, then. Thanks for that too. -- Regards Peter
Re: [gentoo-user] Setting up shorewall
On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphreywrote: > Hello list, > > I've been using shorewall happily for many years, but now I have a LAN > setup > that the docs seem not to cover. The new web-server box I mentioned > recently > has two Ethernet ports, which I want to connect as follows: > > Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router > and be accessible from outside. An HTTP hole* will be opened in the router > for this. > > Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn > to > another port on the vDSL modem, which has no holes open to this port. Once > the server goes into service this interface will be down most of the time. > > I want to ensure that no bridging occurs between the two ports in the web > server. > The term "bridging" implies layer 2 forwarding, like what a hub or switch does. You have to do a little work to set that up, so it wont happen by accident. Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set to 1. However since you're allowing connections to the webserver, any compromise of that webserver means that any network connected to the webserver is available without restriction. This is why webservers are typically put in a DMZ, and a firewall used to connect the outside, the DMZ and the inside. For HTTPS, get a LetsEntrypt cert. FWIW i'm running my home system pretty much the way you propose, and AFAICT i haven't been compromised...but there's little of value there.
[gentoo-user] Setting up shorewall
Hello list, I've been using shorewall happily for many years, but now I have a LAN setup that the docs seem not to cover. The new web-server box I mentioned recently has two Ethernet ports, which I want to connect as follows: Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router and be accessible from outside. An HTTP hole* will be opened in the router for this. Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn to another port on the vDSL modem, which has no holes open to this port. Once the server goes into service this interface will be down most of the time. I want to ensure that no bridging occurs between the two ports in the web server. Shorewall has very good documentation, but I can't see an example similar to this; they assume that a two-homed machine is to act as a firewall, which is not at all what I want to do. http://shorewall.org/MultiISP.html isn't quite it either. Does anyone have any tips or examples showing how to go about this? I'm confronted with that terrifying blank sheet of paper. * Yes, I know I should go the whole hog and insist on HTTPS only, but that's another kettle of fish altogether. I prefer to think about it separately. -- Regards Peter
[gentoo-user] Setting up shorewall
Hello list, I'm in the process of setting up shorewall on my LAN server, and shorewall.conf asks for the location of the tc utility. Can anyone tell me what this program is? Google results suggest it's a traffic control program, but what package is it in? -- Regards Peter
Re: [gentoo-user] Setting up shorewall
Peter Humphrey schrieb am 03.02.2014 17:56: Hello list, I'm in the process of setting up shorewall on my LAN server, and shorewall.conf asks for the location of the tc utility. Can anyone tell me what this program is? Google results suggest it's a traffic control program, but what package is it in? /sbin/tc in sys-apps/iproute2 found by e-file tc /usr/bin/e-file in app-portage/pfl -- Regards Daniel signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Setting up shorewall
On Monday 03 Feb 2014 18:02:11 Daniel Pielmeier wrote: Peter Humphrey schrieb am 03.02.2014 17:56: Hello list, I'm in the process of setting up shorewall on my LAN server, and shorewall.conf asks for the location of the tc utility. Can anyone tell me what this program is? Google results suggest it's a traffic control program, but what package is it in? /sbin/tc in sys-apps/iproute2 found by e-file tc /usr/bin/e-file in app-portage/pfl Thanks Daniel. Found it OK - tc that is. -- Regards Peter