On 08/31/2012 09:43 AM, Mark van Dijk wrote: > > If this is valid then as you can see it would allow me to have shared > rules for the parent (loc) e.g. drop ICMP echo request from inet to > loc, and specific rules for child zones. But I'm not sure if this is > valid - eth1 is not the same as eth1.10, right?
Right -- it isn't valid. Packets routed to/from eth1.10 are NOT routed to/from eth1. In this configuration, eth1 doesn't have an IP address at all so Netfilter won't match any packets against eth1. > Or is there a better way to do the above? > - define one zone Z that includes all three eth.nn, - specify REJECT for the Z->Z policy. - Use rules to specify which traffic is allowed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
