Hi, Say eth0 is connected to the Internet and eth1 is a trunk port connected to a managed switch. Everything on that switch can be regarded to be a member of the "loc" zone.
The other hosts are a member of one VLAN. They have arbitrary IP addresses, outside of eth0's subnet. So, for example we have: fw ifname their IP Intended use ------------------------------------- eth0 194.109.x.1 Internet uplink eth1.10 200.10.xx.5 HTTP server eth1.11 201.61.x.21 Email server eth1.12 80.214.xx.9 FTP server The IPs (intentionally bogus), together with proxyarp, makes the clients' internet configuration easier because e.g. http could now just specify 200.10.xx.254 as its gateway and Shorewall would answer the arp request. Anyway. I would like to know whether the following configuration is valid: /etc/shorewall/shorewall.conf IMPLICIT_CONTINUE=Yes /etc/shorewall/zones: fw ipv4 inet ipv4 loc ipv4 http:loc ipv4 mail:loc ipv4 ftp:loc ipv4 /etc/shorewall/interfaces inet eth0 loc eth1 http eth1.10 mail eth1.11 ftp eth1.12 /etc/shorewall/policy fw all ACCEPT all all DROP:info /etc/shorewall/rules DROP inet all icmp 8 ACCEPT inet loc icmp ACCEPT inet http tcp 80,443 ACCEPT inet ftp tcp 20,21 and so on. If this is valid then as you can see it would allow me to have shared rules for the parent (loc) e.g. drop ICMP echo request from inet to loc, and specific rules for child zones. But I'm not sure if this is valid - eth1 is not the same as eth1.10, right? Or is there a better way to do the above? -- Thanks, Mark van Dijk. ,--------------------------------- -----------------------------' Fri Aug 31 16:14 UTC 2012 Today is Pungenday, the 24th day of Bureaucracy in the YOLD 3178 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
