Marco Romano wrote: > LAN server, single ethernet interface. > By defining two zones in the shorewall hosts file as: > > #ZONE HOST(S) OPTIONS > one eth0:10.0.0.0/8 tcpflags,nosmurfs > two eth0:10.1.0.0/16 tcpflags,nosmurfs > > Is this correct? > Because zone "two" is a subnetwork of zone "one" will packets arriving > from 10.1.0.0/16 addresses always be correctly processed? > Is there a chance for the firewall to erroneously process a packet > coming from zone "two" (by applying rules for zone "one"?). > Does the order in which the zone are defined (in the hosts file or the > zones file) make difference in this specific case?
The order (in the zones file) makes a difference, but you should also
tell shorewall that two is a subzone of one by specifying them in
two:one format in the zones file.
You can see which zone is being processed first by running
shorewall show eth0_in
or shorewall show eth0_fwd
See http://www.shorewall.net/Documentation.htm#Zones for more
information about zone ordering.
--
Paul
<http://paulgear.webhop.net>
--
Did you know? The major music labels and on-line stores want to limit
your rights to listen to music you have legitimately purchased. Find
out more: http://iownmymusic.org/
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
