Felix Bolte wrote: > hi there, > > i have a question about the possibility of the following setup ... for better > understanding, i've attached an image ... it's not big, but i excuse me > beforehand for putting that image on this list: > > > well, there are 2 VLANs on each PC ... every VLAN should access its internal > IPs (i.e. 172.16.10.2 should ping 172.16.10.3 without problems, because > shorewall isn't interacting yet) > > what i want to do is, to give vlan1 access to vlan2, but only! with its > external IPs (i.e. 172.16.10.2 should ping 192.168.10.10, but also its own > VLAN members like 192.168.10.3) > > so there is one trick, i had to add the routeback option on the vlan > interfaces, because when i ping from 172.16.10.2 inside vlan1 to the external > IP 192.168.10.3, shorewall routes me back to the same interface, which isn't > allowed by default ... > > so, i've tested this setup with shorewall and it works quite nice ... > > > interfaces: > > loc eth0 detect > v1234 eth0.1234 detect routeback > v1235 eth0.1235 detect routeback > > zones: > > fw firewall > loc ipv4 > v1234 ipv4 > v1235 ipv4 > > nat: > > 192.168.10.2 eth0:0 172.16.10.2 yes yes > 192.168.10.3 eth0:1 172.16.10.3 yes yes > 192.168.10.10 eth0:2 172.16.10.10 yes yes > 192.168.10.11 eth0:3 172.16.10.11 yes yes > > policy: > > # from LAN > > loc v1234 ACCEPT > loc v1235 ACCEPT > loc $FW ACCEPT > loc all REJECT > > # from firewall > > $FW v1234 REJECT > $FW v1235 REJECT > $FW loc REJECT > $FW all REJECT > > # from VLANs > > v1234 v1235 DROP > v1234 loc ACCEPT > v1234 $FW DROP > v1234 all DROP > > v1235 v1234 DROP > v1235 loc ACCEPT > v1235 $FW DROP > v1235 all DROP > > > > now, my main problem ... probably i have to set up 10 or up to 100 VLANs ... > i don't want add them all manually to the config, especially the iptables > rules will be blown up ... so there is a method to match all VLANs with one > line: > > vlan eth0.+ detect > > but now the VLANs are handled as one zone(interface) ... so there is my > problem ... > whithout the routeback option, i can only ping the VLAN internal IPs ... > i.e. from 172.16.10.2 to 172.16.10.3 or from 172.16.10.10 to 172.16.10.11, but nowhere else, > because there is only one big vlan zone/interface ... so i have to put in the routeback option, > which cause having access to all IPs ... the 172.16.10.2 can ping the 172.16.10.10 (in the other VLAN), > but i only want to use the external IPs to get access between different VLANs > > > is there any way to set up such an environment without having 100 zones and > interfaces if i have 100 VL
Have you looked at the hosts file? Have a look at parallel zones section at: http://www.shorewall.net/Multiple_Zones.html You want to control traffic based on ip network right? Think the zone layout needs a bit of work. You could try something like in the hosts file: eth0.1234 eth0.1234:172.16.10.0/29 eth0.1235 eth0.1235:172.16.10.8/29 while changing interfaces to: - eth0.1234 172.16.10.7 - eth0.1235 172.16.10.15 Hoping that is the quick fix for you, Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
