Re: [Shorewall-users] Three Interface Firewall - ADSL Modem with Ethernet and PPP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Steven Drew wrote:
> Hello
> 
>  
> 
> This question could well have been answered before, but I am having
> difficulty locating it, so I was hoping someone could help.
> 
>  
> 
> I work for a small UK based company and we have broadband, using PPP. It's a
> Netgear ADSL modem/firewall/4 port switch. It doesn't connect straight into
> a PC, but into the same switch as the other PC's, using ethernet. 
> 

Does the Netgear do NAT/Masquerade?

>  
> 
> The firewall on the Netgear is not very configurable, and I need a more
> robust solution. I'd like to start with setting up Shorewall. The
> configuration I have in mind is exactly as specified in the three interface
> firewall guide on Shorewall.net, except for one small alteration. I need to
> connect an Ethernet cable to the ADSL modem. The modem itself plugs into the
> phone line, using PPP. So, the modem has two interfaces, PPP and Ethernet.
> The plan is to plug directly into the ADSL modem using an Ethernet cable.

So you will connect the Shorewall box to the ADSL modem using an 
ethernet cable; that's basically what is shown in the URL you quote 
below and it is exactly what I do (http://shorewall.net/myfiles.htm) 
although my ADSL modem does not have a built in switch.

> The rest of the diagram as specified here
> http://www.shorewall.net/three-interface.htm

The setup described in the Three-interface QuickStart guide will work 
ok, although it is a bit silly to perform NAT in the Shorewall box if 
the "modem" already does NAT itself. If your "modem" does do NAT, I 
would prefer to make the Shorewall box act as a bridge (see 
http://shorewall.net/bridge.html). My configuration has a 
three-interface system (Wookie) configured as a bridge but it treats the 
three interfaces as Net, Local and WiFi. Since it is behind another 
firewall, Wookie doesn't worry about restricting connections from the 
'net' zone but rather is interested in restricting what can be done from 
the 'WiFi' zone.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...