[MLB-WIRELESS] Three NICs, one firewall

[Chris Samuel]

-----BEGIN PGP SIGNED MESSAGE-----

On Wednesday 23 Apr 2003 10:58 am, sanbar wrote:

> I have three NICs in my server. eth0 serves a Net connection, eth1
> serves an internal lan, and eth2 has been added to serve the wireless
> side of things.
> Problem is that I need to reconfigure the firewall for eth2. Seeing as
> I've never dealt with more than two NICs in the one box before, I'm at a
> bit of a loss as to how I can achieve this.

I would *strongly* suggest that you look at using something like the Shorewall 
iptables firewall configuration system for such a system.

It allows you to neatly abstract all that into zones, policies and rules, thus 
making it conceptually a lot easier (as well as you not having to deal with 
all the intricacies of the iptables commands).

You assign a network card to a zone (say loc, net and dmz), then you state the 
general policy for traffic between zones, then you use rules to specify the 
exceptions to the policies.  It will also configure masquerading and 
redirection of connections (useful if you want to send dubious packets to an 
IDS).

It also supports IPSEC, GRE & IPIP tunnels (though I've not played with those 
yet).

Upshot is, say you start of with a system with two interfaces, one of which is 
for the internet and one for local systems. You mark which one is which in 
your interfaces file thus:

net     ppp0    detect
loc     eth0    detect

and then you set up the policies on what is allowed to where. Now, say you get 
a second card and want that to also be a local network, then you add that to 
the interfaces file and say that's in the loc zone too, and bam - as long as 
you've got a policy of saying that loc to loc traffic is allowed then it will 
work the rest out for you.

Their website is at:

			http://www.shorewall.net/

- -- 
 Chris Samuel  :  http://csamuel.org/  :  Melbourne, VIC

 Need someone with 10 years of Linux, Unix, Networking
   & IT Security skills in Melbourne, VIC ? Email me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBPqYKVI1yjaOTJg85AQHDoAf+KyuPVuUjwbjKl/GQ6psLmCUS+TuJ1HHW
pn2KTwGalBfGt80KDOSpmXyIZPLj0uce/RJ2vx5HJYu1pJDqjbeIZHPZ5eOVJtcP
jql13MM14ELSu6wyQ9mxntI5Rw1owzWnVDxxdd9EIvTIK2zqNASaaHzzN/2nf2ig
E6+AaeMiOvV///+Pa1YwSj0TkNjapZa1288V9WtF79Nb6Lwf3n0o16Daj8UVqu1O
Q0J4nUJsfrF2UKsjZv86oHs7VHI//EpPOGElxGxZEVPZVTx7g2DO0U9CsAcNop9h
ndRxjtpJPVqnLYyGPUYal0XodbhW2TlagM9OvexWCb/MEdooOoMZjA==
=7XPz
-----END PGP SIGNATURE-----


To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message