--On Thursday, January 23, 2003 7:23 PM +0100 Sandro Minola <[EMAIL PROTECTED]> wrote:
Hi all I've some very specific questions about the Shorewall configuration:1. I've got a network 10.0.0.0/22. From 10.0.0.1 - 10.0.0.255 are the servers and from 10.0.1.1 - 10.0.3.254 are the clients. The Router running Bering/Shorewall is at 10.0.0.1. I want to divide this network in two nested (correct word for that?) zones. A "server" and a "client" zone.
Those zones aren't nested -- they are disjoint!
Is it possible to say: /etc/shorewall/zones: servers Servers Server Zone clients Clients Client Zone
------- Maximum length of a zone name is 5 characters!
/etc/shorewall/interfaces: - eth1 detect #no options /etc/shorewall/hosts: servers eth1:10.0.0.0/24 dhcp clients eth1:10.0.1.0/23 dhcp ? My question belongs especially to the /23 netmask but also if this is possible at all.
That's wrong -- you need: servers eth1:10.0.0.0/24 dhcp clients eth1:10.0.1.0/24,10.0.2.0/23 dhcp
2. There is a firewall connected to the Bering/Shorewall router (a Watchguard Firebox).
A real "belt and suspenders" setup :-)
This Firewall runs some VPN IPSEC tunnels to remote offices. This Firewall also connects our LAN to the internet. Because internet traffic and "office" traffic comes in on the same interface, I did the following: /etc/shorewall/zones: roffice1 RemoteOffice1 Remote Office 1 roffice2 RemoteOffice2 Remote Office 2
-------- 5 bytes max!
inet Internet Internet /etc/shorewall/interfaces: - eth0 detect #no options /etc/shorewall/hosts: roffice1 eth0:10.11.0.0/24 #no options roffice2 eth0:10.10.0.0/24 #no options inet eth0:0.0.0.0/0 #no options Is this setup correct? I want to distinguish the two remote offices from the internet and specify rules in the policy and rules file.
Yes!
No -- Not if:3. If I have an interface with two or more IP addresses, do I have to specify the "multi" option in the interfaces file, hosts file or in both files? (I want to route between them)
a) The addresses correspond to different zones; or
b) The addresses are in the same zone but you have either intra-zone rules or an intra-zone policy for that zone.
4. Last question is about the broadcast "detect" option in the interfaces file. If I got two IPs on one interface but specify both subnets in the hosts file, may I use the "detect" option? (This question also belongs to question #3) I assume that I _always_ can use the "detect" option when there is only one IP assigned to an interface?
Yes -- "detect" only detects the first broadcast address. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
