On Wed, Sep 26, 2001 at 07:59:58PM +0200, Philipp happily wrote:
> Hi there!
>
> [...]
>
> +-------------+ +-------linux--box-------+
> | ADSL Router | | | +-----------------+
> | dyn IP |===1 <> firewall+bridge <> 2===| DMZ Hub |==>...
> +-------------+ | | +-----------------+
> | ^ ?? |
> +-------------+ | | +-----------------+
> | SDSL Router |===3 <> firewall+routing <> 4===| Intranet switch |==>...
> | 4 static IP | | ^ | +-----------------+
> +-------------+ +------------5-----------+
> |
> +------------------+
> | WLAN Transceiver |
> +------------------+
>
> And now to my questions:
>
> 1. Is it actually possible to set up two parallel working firewalls on one
> box? Even if one should route (NICs need IPs) and one should be transparent?
I've actually tested a quite similar configuration on a production environment.
I had 4 nics, 1 linked to the intranet, one linked to our DMZ, one to the
server's internet connection (guaranteed bandwith, class C public IP addresses...)
and the last one to a DSL like connection for the intranet. On the firewall I
had to configure a DHCP server on the intranet side, a DHCP client on the DSL
side, and transparent firewalling for the two nics related to the servers. I got
it working pretty well using proxy_arp for transparent firewalling and
configuring two routing tables (ip route add ... table ...) with some ip rules
(ip rule add ... ). It was quite interesting to see that working since I also
had to use MASQUERADING on the DSL side for the intranet (both 10.0.0.0
networks) and SNAT to allow direct connections between the offices and the DMZ.
In a short time, I may enjoy using tc to do some bandwidth shaping (I've been
quite satisfied by it in other environments).
Ok, I just gave you some hints... if you need something more detailed, I suggest
you look at:
- the advanced-routing howto (how to you use multiple routing tables, set up
rules for ip...), don't know the exact name..
- the documentation shipped with iptables, tc and iproute2 (there should be the exact
url for the latest version of the howto I told you about somewhere around there)...
- The 'proxy_arp' web pages. I found them in google using 'proxy_arp linux' as
the search string.
I used the kernel 2.4.9 with the latest version of iptables and ip available in the
testing branch of debian (can't remember exact version). I didn't have any trouble
setting this up beshide some typos in firewalling rules and dhcp client screwing up my
routing tables during startup (solved this by putting my scripts after the
startup of dhcpcpd and using as default routing table the one I used for the intranet).
Actually proxy_arp needs one ip address in order to work, but you can make the
firewall more 'transparent' by dropping all packets in the input chain, and no,
none of your servers needs to be configured to use that ip address nor your gateways
or other network devices on the network (proxy arp works at the arp level and is
quite similar to bridging).
If anybody wants some more details, I can mail my exact configuration or provide
some additional info... feel free to mail me...
>
> 1. I've read the bridging+firewalling howto, and all sounds very fine. But
> [...]
> a 2.4 kernel? If no, how do I set up the kernel to handle the packets the
> right way?
As far as I know (I may be wrong) netfilter+bridging is not very stable on 2.4
kernels. You can look at the netfilter mailing list, but the last message I've seen
on this topic was sent around the 12 of September by someone that got it working
patching some lines in the kernel by hand (I can forward the email to you if you
want to try that way). My suggestion is not to use it in production environments
until is a little bit more tested (at least on 2.4 kernels).
--
*** bye, Carlo!
