Hi, I want to specify 2 zones on a single subnet. So I identify the machines from zone1 by a maclist. and zone2 (overlapping zone1) is defined by its interface. I want zone1 to have access to net, zone2 & firewall I want zone2 to have access to zone1 & firewall zone1 is working no problemo but zone2 gets rejected for everything Any idea ? First post : should I copy the content of my config files ? Any help would be greatlly appreciated PS : I think my needs are very close to the chapter "Some Hosts have Special Firewalling Requirements" on http://www.shorewall.net/Multiple_Zones.html but I don''t want to specify a different subnet Thanks Fred ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 06 April 2006 08:36, Fred Lefévère-Laoide wrote:> Hi, > > I want to specify 2 zones on a single subnet. > So I identify the machines from zone1 by a maclist.Not possible. MAC addresses may only be used to specify the packet *source* and hence are unsuitable for defining zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Thursday 06 April 2006 08:36, Fred Lefévère-Laoide wrote: >> Hi, >> >> I want to specify 2 zones on a single subnet. >> So I identify the machines from zone1 by a maclist. > > Not possible. MAC addresses may only be used to specify the packet *source* > and hence are unsuitable for defining zones.I thought I could define the maclist zone in /etc/shorewall/hosts with something like #ZONE HOSTS OPTIONS zone1 eth0:192.168.1.0/24 maclist & define zone2 in /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST zone2 eth0 192.168.1.255 with /etc/shorewall/zones #ZONE TYPE OPTIONS zone1 ipv4 zone2 ipv4> > -TomThanks Fred ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Patrick Blitz wrote:> > Am Donnerstag, den 06.04.2006, 17:36 +0200 schrieb Fred Lefévère-Laoide: >> Hi, >> >> I want to specify 2 zones on a single subnet. >> So I identify the machines from zone1 by a maclist. >> and zone2 (overlapping zone1) is defined by its interface. > > so, just give them fixed ip-addresses over DHCP-reservations, and add > that fixed-ip to the zones. > You do seem to have a dhcp server running, otherwise you wouldn''t need > to you mac-adresses. Therefore, you could just use the DHCP server to > match the MAC to a fixed IPThanks I thought of that & somehow I found it more "elegant" to leave dhcp out of this ... But I suppose you''re right & I''m being picky ...> > Hope that helps, > > PatrickThanks O Fred> >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 06 April 2006 09:10, Fred Lefévère-Laaoide wrote:> Tom Eastep wrote: > > On Thursday 06 April 2006 08:36, Fred Lefévère-Laoide wrote: > >> Hi, > >> > >> I want to specify 2 zones on a single subnet. > >> So I identify the machines from zone1 by a maclist. > > > > Not possible. MAC addresses may only be used to specify the packet > > *source* and hence are unsuitable for defining zones. > > I thought I could define the maclist zone in /etc/shorewall/hosts > > with something like > #ZONE HOSTS OPTIONS > zone1 eth0:192.168.1.0/24 maclistthe ''maclist'' option above *has nothing to do with defining the hosts in zone zone1*. The above entry says that 192.168.1.0/24 on eth0 in zone1 and is subject to MAC validation via entries in /etc/shorewall/maclist. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> I want to specify 2 zones on a single subnet. >> So I identify the machines from zone1 by a maclist. >> and zone2 (overlapping zone1) is defined by its interface. > > so, just give them fixed ip-addresses over DHCP-reservations, and add > that fixed-ip to the zones. > You do seem to have a dhcp server running, otherwise you wouldn''t need > to you mac-adresses. Therefore, you could just use the DHCP server to > match the MAC to a fixed IPUsing DHCP will not prevent a user in zone1 from manually using one of the ip-adresses that belong to zone2. So it''s really only an option if you trust the users in zone1. Of course, MAC-adresses could be faked too, but that requires a bit more knowledge. Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> Using DHCP will not prevent a user in zone1 from manually using one of > the ip-adresses that belong to zone2. So it''s really only an option > if you trust the users in zone1.Sorry, I got your zones mixed up. What I meant was: Using DHCP will not prevent a user in zone2 from manually using one of the ip-adresses that belong to zone1. So it''s really only an option if you trust the users in zone2. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Rune Kock wrote:> ... > Using DHCP will not prevent a user in zone2 from manually using one of > the ip-adresses that belong to zone1. So it''s really only an option > if you trust the users in zone2.Fred, like Rune says, this is only an option if you trust those users. Buy another NIC and another switch - it''s a minimal cost solution that will solve your problem elegantly. Paul
Paul Gear escribió:> Rune Kock wrote: >> ... >> Using DHCP will not prevent a user in zone2 from manually using one of >> the ip-adresses that belong to zone1. So it''s really only an option >> if you trust the users in zone2. > > Fred, like Rune says, this is only an option if you trust those users. > Buy another NIC and another switch - it''s a minimal cost solution that > will solve your problem elegantly. > > Paulthat''s the best solution, network cards are very cheap these days.
Tom Eastep wrote:> On Thursday 06 April 2006 09:10, Fred Lefévère-Laaoide wrote: >> Tom Eastep wrote: >>> On Thursday 06 April 2006 08:36, Fred Lefévère-Laoide wrote: >>>> Hi, >>>> >>>> I want to specify 2 zones on a single subnet. >>>> So I identify the machines from zone1 by a maclist. >>> Not possible. MAC addresses may only be used to specify the packet >>> *source* and hence are unsuitable for defining zones. >> I thought I could define the maclist zone in /etc/shorewall/hosts >> >> with something like >> #ZONE HOSTS OPTIONS >> zone1 eth0:192.168.1.0/24 maclist > > the ''maclist'' option above *has nothing to do with defining the hosts in zone > zone1*. The above entry says that 192.168.1.0/24 on eth0 in zone1 and is > subject to MAC validation via entries in /etc/shorewall/maclist. > > -TomThanks a lot I did a subnet via dhcp and it works ! I think I''ll add maclist for further security Fred ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Cristian Rodriguez wrote:> Paul Gear escribió: >> Rune Kock wrote: >>> ... >>> Using DHCP will not prevent a user in zone2 from manually using one of >>> the ip-adresses that belong to zone1. So it''s really only an option >>> if you trust the users in zone2. >> Fred, like Rune says, this is only an option if you trust those users. >> Buy another NIC and another switch - it''s a minimal cost solution that >> will solve your problem elegantly. >> >> Paul > > that''s the best solution, network cards are very cheap these days. >thanks for your advices ! Another network card is not a solution because I can''t have 2 physical networks. But what I''ll do is add a maclist to zone1 ... There is no real security threat here ! Thanks to everybody Fred ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642