Felix Bolte wrote:
ok thank you ... pls confirm me, if i've understood it correctly with the routeback option all vlans can access each other which i
> will prevent in the policy-file and then i have to permit in the > rules-file which subnets have access to the external IPs ... That is basically correct.The 'routeback' option has really nothing to do with connection permissions. It rather causes Shorewall to create infrastructure to handle the case where traffic entering an interface is sent back out of the same interface. Since this is usually a very silly thing to do, it is not the default behavior. This behavior does, however, make sense for a wild-card interface (one whose name ends in '+').
It is policies and rules that control connection permissions. The default intra-zone policy is ACCEPT which you will override with the entry in /etc/shorewall/policy. You will then define whose vlan->vlan connections that you are willing to allow via the entry in /etc/shorewall/rules. The rule says that vlan->vlan traffic is permitted only if the original destination IP address is in the 192.168.10.0/24 network.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
