[NTLUG:Discuss] Router Needed? -- Zones are zones, reconfigure them (very easy)

Bryan J. Smith b.j.smith at ieee.org
Thu Jul 8 17:09:35 CDT 2004 

Ralph Green, Jr wrote:  
> Howdy, I am a satisfied IPCOP user.  I have never set up an orange
> zone in IPCOP, but I did set one up for a friend using Smoothwall(from
> which IPCOP forked).  There must be some subtlety to your answer that
> I am missing, because the whole purpose of the orange zone is to
> isolate those machines that do need to receive connections from the
> red zone.

ORANGE is simply another, separate zone.  What you do with it is up
to you.

The common usage is to use it as a DMZ, accepting limited connections
from RED (Internet).  E.g., you open up explicit services to your public
Internet servers.  The ORANGE subnet can be public IPs, or private IPs
(DNAT).  It can_not_ normally access GREEN (LAN), but you can always 
punch holes in it (e.g., for IPSec or VPNs).

Neither RED nor ORANGE can access GREEN.  You don't want ORANGE to
be able to access GREEN, in case a DMZ server is compromised.  So it's
_already_ great for segmenting LANs!

So an alternative use is to use ORANGE as a 2nd GREEN-like, but separate
from GREEN itself.  That way you can use it for segmenting WLAN from
wired Ethernet, or any subnet in your organization as such.  I would
recommend doing this with the gentleman's conference room.

With IPCop 1.4, you now have a 4th zone, BLUE, designed _specifically_
for this purpose.  So you can use ORANGE as your DMZ as normal, or as
yet a 3rd GREEN-like interface.  It is really up to you.

> The orange zone usually contains web server or mail servers that the
> outside world must be able to reach.

Normally.  But there is _nothing_ stopping you from using ORANGE as
a 2nd GREEN-like interface.  It can SNAT as well as DNAT, you just
don't open any incoming ports from RED and bam, it's basically another
GREEN.

RED cannot get to either ORANGE or GREEN without explicit access.
ORANGE cannot get to GREEN either, to ensure segmentation of any DMZ.
This makes it ideal for a 2nd GREEN-like zone, separate from GREEN.

> Now, the red zone cannot initiate contact to your green zone.

Of course.  And I can prevent the same into ORANGE as well.  In fact,
is not ORANGE configured as such to begin with (and you must open
_explicit_ ports to it)?

> Am I missing something, or did you mean to say green?

Nope, I meant ORANGE.  Use ORANGE as a 2nd GREEN-like interface for
the conference room.  The two will be segmented from one another.

[ Although I think GREEN can access ORANGE by default, not sure.
But it shouldn't matter, you only want to prevent access from ORANGE
(conference room) to GREEN (LAN). ]


terry wrote:  
> Did IPCOP crash?  Or DIE?
> If so, what happened?
> Hardware failure?  Software failure? or what?
> IPCOP v1.3.0 ? all 9 updates?

No, IPCop was a fork of Smoothwall 0.9.9 about 4 years ago.
It was largely done for social reasons.  I will let those
involved explain them, but their reasons were sound IMHO.
IPCop Leader Jack Beglinger is a co-founder of LEAP, the
LUG here in Orlando.  Phil Barnett, also a co-founder, was
also involved as well.

The current IPCop 1.3.0 is a radical re-write of many things.
The current IPCop 1.4.0beta4 barely has any SmoothWall in it now.

A lot of Smoothwall'ers got pissed when the IPCop article in
January 2004 Sys Admin (the #1 UNIX/Linux mag in print circulation)
didn't attribute Smoothwall.  But the fact is that IP 1.3.0 is
radically changed from its SmoothWall 0.9.9 origins. It would not
be fair to attribute SmoothWall without listing the 4 years of
massive improvements -- including the _majority_ of SmoothWall
components being ripped out.

And after all that, SmoothWall/IPCop team development only
comprises of ~0.01% of the total development in the distribution.

> I think what he's saying is making it sort-of like:
> red green-1 green-2
> instead of the conventional
> red green orange

Yes.  I do it right now with WLAN -- segmenting WLAN on ORANGE.
it acts like a 2nd GREEN.

> In other words, not using the orange interface for servers but
> just  using it to isolate visitor LAN from office LAN, therefore
> allowing  visitor LAN access to internet and nothing more. ie.
> green = office LAN
> orange = visitor LAN

Exactomundo.

> (I don't know if it'd work but makes sense to me.) (Don't see why not.)

Works great.  I don't recommending using a cheap "NAT" device though.
Use a bridging access point instead, which solves a lot of ARP headaches.

The reconfiguration can be done 100% from the GUI.  It's basically 
"ready-to-go" as you must pin-hole RED to ORANGE before its a usable
DMZ anyway.


-- 
     Linux Enthusiasts call me anti-Linux.
   Windows Enthusisats call me anti-Microsoft.
 They both must be correct because I have over a
decade of experience with both in mission critical
environments, resulting in a bigotry dedicated to
 mitigating risk and focusing on technologies ...
           not products or vendors
--------------------------------------------------
Bryan J. Smith, E.I.         b.j.smith at ieee.org

More information about the Discuss mailing list