I'm being cast headlong into unfamiliar waters here, and being desperate for
some air, thought I'd come here for some help. :)
Anyway, my employer is going through some whiplash-inducing growth spurts,
and as a result, the simple "Internet T-1 -> Linux Firewall/NAT -> LAN"
setup just isn't going to cut it anymore.
First, we're bringing in 2 additional T's and want to use BGP to provide for
some measure of failover to an Class C portable IP block we own. My
question regarding this is, what do I need to do on my Linux firewall/NAT
box so that it knows how to send outbound packets?
Second, we currently have two seperate DMZ networks, one for corporate
Internet servers, and one for client-accessible Internet servers.
Currently, both these networks, and our internal LAN, (and all of our
IPSec-connected remote offices) are all subnets in the 10.* range, and
NATted to the outside. I'm using Shorewall on RH9 (Linux 2.4) to handle
the firewalling and SNAT/DNAT for the DMZs and NAT for the LAN, and
FreeS/WAN for the IPSec WAN.
What I would _like_ to do is build an "invisible" firewall between the
routers provided with each of the three T-1 lines (yes, each T has it's own
Cisco 2600-series router). Ideally, two, in some sort of fail-over
configuration. I want to split the firewalling from the routing primarily
to remove the chance of breaking one when working on the other, but this is
not a set-in-stone requirement.
So, given my poor ascii-art skills, the layout might look something like
this:
^^^}-{T1(a)}--[cisco(a)]--+ +--{Service DMZ}
'N } | |
e }-{T1(b)}--[cisco(b)]--+-[[firewall]-[router]]-+--{Corporate DMZ}
t } | |
vvv}-{T1(c)}--[cisco(c)]--+ +--{LAN}
|
+--{future growth}
Now, for the sake of argument, we'll call our portable Class C
192.168.191.0/24. I hope to share it between the service DMZ and the
corporate DMZ. The two DMZs need to be seperate for security concerns, and
I'll need to do some amount of firewalling between the DMZs, and between
the DMZs and the LAN, in addition to the firewalling between the Internet
and our networks.
So, here's my list of questions:
Would it be better to forgo the edge firewall, and simply put firewalls on
each network that connects to the Internet or another internal network?
If so, should the NAT for the LAN be handled by the LAN's firewall, or the
router?
Since we really need to be able to connect from any network to any network
internally, would I put the IPSec links in the linux router?
Am I making this all too complex? Should I just combine the firewall &
router into a single box, build a fail-over twin for it, and have it run
the IPSec links, the proxy-arp for psuedo-bridging to the DMZs, the NAT for
the LAN->Internet communications and all the internal routing?
And where the hell does BGP for the T-1s fit into this mess?
I guess I'm more lost than I thought. :(
Any help or advice is appreciated.
TIA,
Gregory
--
Gregory K. Ruiz-Ade <gkade@xxxxxxxxxxxxxx>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
