I would like to have a new gateway that worked as both an IN and a NET gateway, so I could create twice as many apps with the same number of IPs.

As it is now I will have to combine several apps into 1 app to conserver IPs. Of course, then if I need to restart the aggregated app, it ends up having restart a bunch of appliances that don't really need to restart.

Jody - makes sense. There seem to be a lot of possible combinations, though -- INSSL+OUT, INSSL+NET, IN+OUT, IN+NET... We are also working on some new input gateways that will add services for disaster recovery and for scale-out. We'll discuss with the engineering and support folks to see what we can provide that is going to be reasonably universal.

In the meantime our support can help you build your custom IN+NET appliance if you like. Best of all, after that we can put the procedure here, post a recorded session -- or the whole appliance for download.

Regards,
-- Peter

I have requested this a while ago but now I have ended up building my own out of the NET appliance. I've added some custom rules to the iptables-fwrules file to use it as firewall and port forward certain connections to the "inside" avoiding having to rely on the "Protocols" tab of the appliance. It's working great.

Sorry for grabbing this thread up, but we're also looking for something similiar. We have just a few range of public ips and have to spend 2 of them for each tiny application. Also im not really familiar with iptables so I'm unable to branch one for myself.

Is someone able to merge the INSSLR with the NET to an INSSLRNET? We're currently using the default appliances from applogic v3.0.30. Or does someone know some key points of doing this myself. Maybe then its possible for me.

Thanks a lot for any help!

Denis

Here is one way to combine IN and NET:

1) Branch an NET appliance
2) Add an out terminal
3) Copy the iface* properties from an IN boundary to the new class
4) Apply the attached patch to /appliance/iptables-fwrules.sh

You connect any appliance that needs internet access to the in terminal, and connect the out terminal to appliance that needs to be accessed from the internet (use the iface* propertied to configure what protos/ports are allowed).

Thanks a lot!
I'll give it a try.

Hi Peter and Pavel,

Do you have any tips to manage these iptables rule via GUI?
AppLogic provide port based filtering rules only, and some of Japanese user would like to change forwarding rules and implement these bidirectional gateway appliance...

Hi Go,

Sorry for the delayed reply.

You can implement a rule-based and GUI-enabled version of the gateway - I am not sure how useful this is going to be for the regular gateways, though, as the separation of firewalls per interface aims to make complex rule configurations unnecessary. Biut there might be use cases when this is appropriate.

Where I have seen several others express interest in GUI-based, traditional style firewalls is when the customer wants to provide a general firewall - e.g., have a separate "firewall" application, which is the only one that uses real routable addresses; and it passes in, to an RFC1918 address space, only what's allowed (similar to installing a physical firewall in front of the grid); and then having all/most other applications use the RFC 1918 addresses only. This is especially useful for development/lab environments, where users tend to be less careful about passwords and tying down ports and services.

This can be implemented as a simple packaging of an open source or commercial firewall. On the OSS side, Vyatta is a full router package with firewall; there is also a variety of web GUIs on top of Linux iptables, like APF. There are also some commercial offerings listed in Wikipedia (http://en.wikipedia.org/wiki/Virtual_firewall) (I haven't used any of them so I cannot endorse or make recommendation). The best is that you can choose any package you like or are already familiar with, and even have more than one.

It is possible that some of our partners already have something like that - maybe someone can post from the appliance wishlist and/or marketplace forums.

Best regards,

- Peter

PS: This type of general firewall/NAT router can also be used to reduce the total number of routable IPs used -- which, incidentally, was the original topic of this thread.