> I'm considering the following firewall setup on a public IPv4 provided by my > ISP: > Transparent / bridged firewall > > The local network should be considered as a DMZ, means any service running in > this network is accessable from WAN. > Having only on public IPv4 I need to add a forward proxy service in the DMZ > in order to use multiple services (e.g. mail, cloud). > > Can you please advise if this setup is reasonable for this use case? > Or should a standard setup with a routed firewall be preferred?
Do you only have one public IPv4 address ? If so, then a bridged setup probably doesn’t make sense. With a previous work hat on I ran several bridges firewalls - but these were on networks with multiple IPv4 addresses and with services either directly active on public IPs, or with “something else” does NAT, port forwarding, etc behind it. And in each case, I had a need to do some traffic monitoring in a setup where I couldn’t introduce the routing changes needed for a routed setup. From memory, there are some things that don’t work well/easily/at all with a bridged setup - because the IP stack isn’t forwarding packets at the IP level (i.e. in the IP stack - level 3), it’s bridging them (forwarding) at the packet level (i.e. at level 2). If you give a bit more information on what exactly you need to do then we can probably offer suggestions on how best to achieve that - but at the moment there’s insufficient information to say which of several topologies would be most appropriate. But bear in mind that often there is no “right” or “wrong” way - just different level of “best fit” for whatever definition of “best” you apply. As for your other question, I don’t think Shorewall really has any hardware requirements of it’s own. Other than memory (mostly RAM for storing of active rules etc - but also CPU if it’s handling lots of traffic with lots of rules), it’s dependent on the OS to provide the various network layers it interacts with. So if the OS runs OK, has all the right drivers for the hardware, and there’s enough resources to handle whatever complexity of rules you apply - then Shorewall should be fine. At one time I had an Alix board acting as a backup firewall for a hosting environment with 20mbps uplink and a significant number of traffic shaping rules. The only time it fell over was when we were hit with an NTP amplification attack (someone was flooding our link with small NTP requests and causing massive outbound NTP traffic to a 3rd party) which made our Intel based primary box fall over and then the Alix struggled to handle the packet rate. Simon _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
