Hi all I've some very specific questions about the Shorewall configuration:
1. I've got a network 10.0.0.0/22. From 10.0.0.1 - 10.0.0.255 are the servers and from 10.0.1.1 - 10.0.3.254 are the clients. The Router running Bering/Shorewall is at 10.0.0.1. I want to divide this network in two nested (correct word for that?) zones. A "server" and a "client" zone. Is it possible to say: /etc/shorewall/zones: servers Servers Server Zone clients Clients Client Zone /etc/shorewall/interfaces: - eth1 detect #no options /etc/shorewall/hosts: servers eth1:10.0.0.0/24 dhcp clients eth1:10.0.1.0/23 dhcp ? My question belongs especially to the /23 netmask but also if this is possible at all. 2. There is a firewall connected to the Bering/Shorewall router (a Watchguard Firebox). This Firewall runs some VPN IPSEC tunnels to remote offices. This Firewall also connects our LAN to the internet. Because internet traffic and "office" traffic comes in on the same interface, I did the following: /etc/shorewall/zones: roffice1 RemoteOffice1 Remote Office 1 roffice2 RemoteOffice2 Remote Office 2 inet Internet Internet /etc/shorewall/interfaces: - eth0 detect #no options /etc/shorewall/hosts: roffice1 eth0:10.11.0.0/24 #no options roffice2 eth0:10.10.0.0/24 #no options inet eth0:0.0.0.0/0 #no options Is this setup correct? I want to distinguish the two remote offices from the internet and specify rules in the policy and rules file. 3. If I have an interface with two or more IP addresses, do I have to specify the "multi" option in the interfaces file, hosts file or in both files? (I want to route between them) I've read a message on shorewall-users from Tom which says the following: (not sure if I understood it correctly) "When you have two IPs on an interface but define both subnets in the hosts file as different zones, you don't need the multi option at all." 4. Last question is about the broadcast "detect" option in the interfaces file. If I got two IPs on one interface but specify both subnets in the hosts file, may I use the "detect" option? (This question also belongs to question #3) I assume that I _always_ can use the "detect" option when there is only one IP assigned to an interface? If you need more information, please let me know Thanks for your answer. so long -- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch | http://leaf.sourceforge.net/devel/sminola ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
