Some progress this morning
2005-06-28 12:40 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mdlbearThe networking and firewall on my new gateway-to-be are almost completely configured now. Even tested a little. I finally got over some kind of mental block and set it up in a test configuration (i.e., not the final set of IP addresses because that would conflict with the current gw.
Geeky Details:
I'm using Shoreline Firewall (Shorewall), which is what's on the old gateway, so I started out reasonably familiar with it (though there's a fair amount of new stuff and my new configuration will be much more complex).
There are two tricky bits: the first is that I have a real DMZ now, with a separate interface. That's where the wireless subnet is going. I could have just connected it directly to the DSL line, since I have 5 IP addresses and am only using 4, but putting it on the gateway means I can monitor and control the traffic much more easily.
The second complication, which Shorewall makes fairly simple, is putting the Windows and Linux boxen on separate subnets over the same wires. (Yes, a box in promiscuous mode could theoretically sniff packets from both networks, but that segment of the LAN is switched, so I'm not going to worry about it too much.) Shorewall will happily treat the two subnets as separate zones, and do routing and filtering between them just as if they were on two separate interfaces.
Not only does this isolate the easily-compromised Windows boxen pretty well, with much stricter filtering rules, but it allows me to give the dual-boot machines different addresses depending on which OS they're running.
Whether I have it all together before tomorrow is, of course, still an open question.
Geeky Details:
I'm using Shoreline Firewall (Shorewall), which is what's on the old gateway, so I started out reasonably familiar with it (though there's a fair amount of new stuff and my new configuration will be much more complex).
There are two tricky bits: the first is that I have a real DMZ now, with a separate interface. That's where the wireless subnet is going. I could have just connected it directly to the DSL line, since I have 5 IP addresses and am only using 4, but putting it on the gateway means I can monitor and control the traffic much more easily.
The second complication, which Shorewall makes fairly simple, is putting the Windows and Linux boxen on separate subnets over the same wires. (Yes, a box in promiscuous mode could theoretically sniff packets from both networks, but that segment of the LAN is switched, so I'm not going to worry about it too much.) Shorewall will happily treat the two subnets as separate zones, and do routing and filtering between them just as if they were on two separate interfaces.
Not only does this isolate the easily-compromised Windows boxen pretty well, with much stricter filtering rules, but it allows me to give the dual-boot machines different addresses depending on which OS they're running.
Whether I have it all together before tomorrow is, of course, still an open question.
