I have been a long time Shorewall user. My company has grown it is
was time to decommission many of the old servers and network devices.
I was contemplating ditching Shorewall in my new network
configuration. I originally bought a new Cisco all-in-on
VPN/Firewall/Wireless AP product in order to consolidate many existing
devices. I soon learned how undesirable that device was. The Internet
forums are filled with user complaints and documented bugs with no
workarounds. So this brand new device is being repurposed as a
paperweight and I am turning back to my trusting Shorewall.
My old
Shorewall installation was actually a virtualized machine with three
interfaces. I actually had the Shorewall firewall in the DMZ of my ISPs
DSL modem.
My initial plan for the new Shorewall installation was to
have four interfaces:
eth0 would be the WAN interface. I have since
configured the DSL modem as a transparent bridge. My new firewall box is
handling the authentication with my DSL provider via the pppoeconf
package. This configuration was setup outside of Shorewall. Eventually
it will be assigned as a zone in Shorewall.
eth1 is planned to serve
the network management devices (e.g. switches, routers, etc.) on the
network. I had planned to use the 192.168.110.0/24 subnet for these
devices.
eth2 is planned to serve the local client devices on the
network. I had planned to use the 192.168.130.0/24 subnet for these
devices.
eth3 is planned to serve as the DMZ with publicly available
servers on the network. I had planned to use the 192.168.120.0/24 subnet
for these devices.
Currently, the new Shorewall machine has four
physical NICs installed. I am beginning to think I can get away with
just two NICs.
I also recently purchased a really good Cisco managed
switch and planned to implement VLANs within the network. I am thinking
that if I have two physical NICs within the Shorewall machine, I can use
eth0 as the WAN interface as already configured, but assign various VLAN
interfaces using the raw eth1 interface.
I realize this really isn't
Shorewall specific since each VLAN interface would be entered as a zone
and rules configured appropriately. But I would appreciate some
validation with my planned approach.
Has anyone done something
similar? Is my thinking with VLANs correct? I don't have much experience
with VLANs yet. Is there documentation using Shorewall in a similar
setup?
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
