Hello Simon, many thanks for your informative reply.
I try to share some more information of what I'm planning to do. I can confirm that I have only 1 static public IPv4 (provided by my ISP). With my current hardware (ALIX2D13) and software VyOS 1.1.8 this works fine with a standard firewall+router setup. The number of webservices is (still) low, and with configured forward proxy (HAproxy <https://wiki.archlinux.org/title/HAproxy>) in addition to the selective ports (80, 443, 465, 587, etc.) opened this DMZ works as expected. This firewall solution will be replaced by Shorewall running on a recent Debian release. In addition I will setup another firewall behind the router with the dynamic public IPv4. And behind this firewall different local networks will be available (e.g. LAN, Management). As a result I have physically seperated the DMZ from other local networks + 2 different firewall software stacks. I'm planning to extend services in the LAN with K8s and services for logging and monitoring. With regards to the transparent / bridge firewall I think to skip this because I cannot determine if my ISP is offering WAN-routing that is a pre-requisite for a transparent / bridge firewall. Regards Thomas Am 01.01.22 um 20:05 schrieb Simon: >> I'm considering the following firewall setup on a public IPv4 provided by my >> ISP: >> Transparent / bridged firewall >> >> The local network should be considered as a DMZ, means any service running >> in this network is accessable from WAN. >> Having only on public IPv4 I need to add a forward proxy service in the DMZ >> in order to use multiple services (e.g. mail, cloud). >> >> Can you please advise if this setup is reasonable for this use case? >> Or should a standard setup with a routed firewall be preferred? > Do you only have one public IPv4 address ? If so, then a bridged setup > probably doesn’t make sense. > With a previous work hat on I ran several bridges firewalls - but these were > on networks with multiple IPv4 addresses and with services either directly > active on public IPs, or with “something else” does NAT, port forwarding, etc > behind it. And in each case, I had a need to do some traffic monitoring in a > setup where I couldn’t introduce the routing changes needed for a routed > setup. > > From memory, there are some things that don’t work well/easily/at all with a > bridged setup - because the IP stack isn’t forwarding packets at the IP level > (i.e. in the IP stack - level 3), it’s bridging them (forwarding) at the > packet level (i.e. at level 2). > > If you give a bit more information on what exactly you need to do then we can > probably offer suggestions on how best to achieve that - but at the moment > there’s insufficient information to say which of several topologies would be > most appropriate. But bear in mind that often there is no “right” or “wrong” > way - just different level of “best fit” for whatever definition of “best” > you apply. > > > As for your other question, I don’t think Shorewall really has any hardware > requirements of it’s own. Other than memory (mostly RAM for storing of active > rules etc - but also CPU if it’s handling lots of traffic with lots of > rules), it’s dependent on the OS to provide the various network layers it > interacts with. So if the OS runs OK, has all the right drivers for the > hardware, and there’s enough resources to handle whatever complexity of rules > you apply - then Shorewall should be fine. > At one time I had an Alix board acting as a backup firewall for a hosting > environment with 20mbps uplink and a significant number of traffic shaping > rules. The only time it fell over was when we were hit with an NTP > amplification attack (someone was flooding our link with small NTP requests > and causing massive outbound NTP traffic to a 3rd party) which made our Intel > based primary box fall over and then the Alix struggled to handle the packet > rate. > > > Simon > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
