On 21/04/2013 02:26, Tom Jensen wrote: > > I have been a long time Shorewall user. My company has grown it is > was time to decommission many of the old servers and network devices. > > I was contemplating ditching Shorewall in my new network > configuration. I originally bought a new Cisco all-in-on > VPN/Firewall/Wireless AP product in order to consolidate many existing > devices. I soon learned how undesirable that device was. The > Internet forums are filled with user complaints and documented bugs > with no workarounds. So this brand new device is being repurposed as > a paperweight and I am turning back to my trusting Shorewall. > > My old Shorewall installation was actually a virtualized machine with > three interfaces. I actually had the Shorewall firewall in the DMZ of > my ISPs DSL modem. > > My initial plan for the new Shorewall installation was to have four > interfaces: > > eth0 would be the WAN interface. I have since configured the DSL > modem as a transparent bridge. My new firewall box is handling the > authentication with my DSL provider via the pppoeconf package. This > configuration was setup outside of Shorewall. Eventually it will be > assigned as a zone in Shorewall. > > eth1 is planned to serve the network management devices (e.g. > switches, routers, etc.) on the network. I had planned to use the > 192.168.110.0/24 subnet for these devices. > > eth2 is planned to serve the local client devices on the network. I > had planned to use the 192.168.130.0/24 subnet for these devices. > > eth3 is planned to serve as the DMZ with publicly available servers on > the network. I had planned to use the 192.168.120.0/24 subnet for > these devices. > > Currently, the new Shorewall machine has four physical NICs installed. > I am beginning to think I can get away with just two NICs. > > I also recently purchased a really good Cisco managed switch and > planned to implement VLANs within the network. I am thinking that if > I have two physical NICs within the Shorewall machine, I can use eth0 > as the WAN interface as already configured, but assign various VLAN > interfaces using the raw eth1 interface. > > I realize this really isn't Shorewall specific since each VLAN > interface would be entered as a zone and rules configured > appropriately. But I would appreciate some validation with my planned > approach. > > Has anyone done something similar? Is my thinking with VLANs correct? > I don't have much experience with VLANs yet. Is there documentation > using Shorewall in a similar setup? >
Hi Tom, I have done similar, including occasionally building firewalls/routers with only a single physical interface but many VLANs. The setup works great. If you have VLAN-aware managed switches then using VLANs definitely cuts down on the mess of cables and switches in your wiring closet / server room. As long as you are religious about keeping the VLANs apart (e.g. don't bridge them somehow, by mistake or otherwise) the setup will be just as secure as not using VLANs at all. My current Shorewall box is a re-purposed Watchguard Firebox running Debian, although I'm only using 3 interfaces: one for PPPoE, one for the VLAN trunk to my switch, and another for my AP (long story). HTH, Chris -- Chris Boot [email protected] ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
