[leaf-user] Shorewall Host File construction.

Mon, 07 Oct 2002 04:44:59 -0700 

Hi people,

OK, excuse the ASCII art, this is the best I can manage!

In the below diagram, firewall 1 and 2 will be Bering RC3 boxes. Currently,
I have shorewall 1.3.7c, but it will be upgraded to 1.3.9a when I start
playing again.

I'm trying to configure a network as follows (yes I know I could do it
simpler but I'm playing!):

 +========+
 |Internet|
 +========+
      |
      |
      | ppp0 isp given
+----------+                 +========+
|Firewall 2|-----------------|  SMDZ  | 10.46.23.x
+----------+eth1  10.46.23.x +========+
      | eth0 10.0.1.1
      |
      |
 +========+
 |  DMZ   | 10.0.1.x (going to include mail, dns, dhcp, web proxy etc)
 +========+
      |
      |
      | eth2 10.0.1.5
+----------+
|Firewall 1|
+----------+
      | eth0 192.168.1.1
      |
      |
 +========+
 |Internal|  192.168.1.x
 +========+

And I am having a problem!

Firewall one's host file is fine, and seems to work ok, but I am unsure
what to put in the /etc/shorewall/hosts file to describe zones in Firewall
1.

DMZ and SDMZ are easy:
  dmz       eth2:10.0.1.0/24
  sdmz      eth2:10.46.23.0/24

But what do I put for net?
Neither of these lines, appeared to work:
  net       eth2:0.0.0.0/0,eth2:!10.0.1.0/24,eth2:!10.46.23.0/24
  net       eth2:!10.0.1.0/24,eth2:!10.46.23.0/24

Nor did splitting it up onto separate line:
  net       eth2:!10.0.1.0/24
  net       eth2:!10.46.23.0/24

How do I specify that the net zone is everything BUT 10.0.1.0/24 and
10.46.23.0/24 in hosts??

Thanks,

Gavin




Visit the Virgin Atlantic website for all the latest news and great
special offers - http://www.virgin.com/atlantic

This e-mail (and any attachments) may contain privileged and/or
confidential information. If you are not the intended recipient please
do not disclose, copy, distribute, disseminate or take any action in
reliance on it. If you have received this message in error please reply
and tell us and then delete all copies on your system. Any opinion on
or advice or information contained in this email is not necessarily that
of the owners or officers of this company.

Should you wish to communicate with us by e-mail, we cannot guarantee
the security of any data outside our own computer system



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to