Hello, I have a firewall with 67 network interfaces. I''m migrating it to Shorewall now. It''s working well, but I have some doubts I''d like to discuss with you guys. I''ve created 67 zones, one for each interface, because I have most rules that need to be zone-based. My doubt is that I have some rules, maybe over a hundred, that need to applied to let''s say 32 zones. I could do that easily directly with iptables, because my network is segmented in a tree-mode. Example: zone1 - 192.168.0.0/24 zone2 - 192.168.1.0/24 In that case, zone1+zone2 would be 192.168.0.0/23... And so on... Is it possible to create a "grouping" zone aggregating zone1 plus zone2, for example, so that I can declare a rule only to the "grouping" zone, without repeating the rule for each zone. I''ve read the man page shorewall-nesting, but the examples I''ve seen are based on only one interface. I''m not sure if that would work across multiple interfaces. This network is quite critical, so I''m a bit afraid to be testing a lot of rules in it without making sure that''s the right way to go. Thanks in advance. -- MARLON DUTRA Propus GnuPG ID: 0x3E2060AC pgp.mit.edu http://www.propus.com.br/ http://hackers.propus.com.br/~marlon/ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Marlon Dutra wrote:> > I''ve read the man page shorewall-nesting, but the examples I''ve seen > are based on only one interface. I''m not sure if that would work > across multiple interfaces.It doesn''t. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy wrote:> Marlon Dutra wrote: > >> I''ve read the man page shorewall-nesting, but the examples I''ve seen >> are based on only one interface. I''m not sure if that would work >> across multiple interfaces. > > It doesn''t.Actually, it can be made to work. If you do this: /etc/shorewall/zones: zoneA zone1:zoneA zone2:zoneA /etc/shorewall/interfaces: zoneA eth0 zoneA eth1 /etc/shorewall/hosts: zone1 eth0:192.168.1.0/24 broadcast zone2 eth1:192.168.2.0/24 broadcast then it works like this when using the default IMPLICIT_CONTINUE=Yes. - Traffic to/from eth0 first goes through the zone1 rules. - If there is no match, it then goes through the zoneA rules. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy wrote:> Shorewall Guy wrote: >> Marlon Dutra wrote: >> >>> I''ve read the man page shorewall-nesting, but the examples I''ve seen >>> are based on only one interface. I''m not sure if that would work >>> across multiple interfaces. >> It doesn''t. > > Actually, it can be made to work. > > If you do this: > > /etc/shorewall/zones: > > zoneA > zone1:zoneA > zone2:zoneA > > /etc/shorewall/interfaces: > > zoneA eth0 > zoneA eth1 > > /etc/shorewall/hosts: > > zone1 eth0:192.168.1.0/24 broadcast > zone2 eth1:192.168.2.0/24 broadcast > > then it works like this when using the default IMPLICIT_CONTINUE=Yes.I posted the above without trying it -- while it compiles fine, the Shorewall-perl compiler is not creating the correct ruleset. I''ll need some time to sort out why that is happening. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy wrote:> default IMPLICIT_CONTINUE=Yes.As of 4.2, the default is No -- it must be set to Yes.> > I posted the above without trying it -- while it compiles fine, the > Shorewall-perl compiler is not creating the correct ruleset. I''ll need > some time to sort out why that is happening.The ruleset only looked incorrect because I didn''t put any entries in /etc/shorewall/rules; as a consequence, the compiler optimized away most of what I expected to see. Once I added some rules, everything looked fine. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Hello, On Mon, Jan 26, 2009 at 5:18 PM, Shorewall Guy <shorewalljunky@comcast.net> wrote:> Shorewall Guy wrote:> As of 4.2, the default is No -- it must be set to Yes.Ok.> The ruleset only looked incorrect because I didn''t put any entries in > /etc/shorewall/rules; as a consequence, the compiler optimized away most > of what I expected to see. Once I added some rules, everything looked fine.Hmm right. Excellent solution. I''ll try it here as soon as I can and let you know. Thank you for the quick reply. -- MARLON DUTRA Propus GnuPG ID: 0x3E2060AC pgp.mit.edu http://www.propus.com.br/ http://hackers.propus.com.br/~marlon/ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
a firewall with 67 network interfaces.... wow does such a beast even exist? soory but i m just so curious...i was always thinking that the max numbers of interfaces will be about 6 ( 2 built in , 4 pci slots ). hope you can enlighten us abt yr machine ... after yr solve yr problem of course.... ----- Original Message ----> From: Marlon Dutra <mfdutra@gmail.com> > To: shorewall-users@lists.sourceforge.net > Sent: Tuesday, January 27, 2009 3:58:56 AM > Subject: [Shorewall-users] Grouping zones > > Hello, > > I have a firewall with 67 network interfaces. I''m migrating it to > Shorewall now. It''s working well, but I have some doubts I''d like to > discuss with you guys. > > I''ve created 67 zones, one for each interface, because I have most > rules that need to be zone-based. > > My doubt is that I have some rules, maybe over a hundred, that need to > applied to let''s say 32 zones. I could do that easily directly with > iptables, because my network is segmented in a tree-mode. > > Example: > > zone1 - 192.168.0.0/24 > zone2 - 192.168.1.0/24 > > In that case, zone1+zone2 would be 192.168.0.0/23... And so on... > > Is it possible to create a "grouping" zone aggregating zone1 plus > zone2, for example, so that I can declare a rule only to the > "grouping" zone, without repeating the rule for each zone. > > I''ve read the man page shorewall-nesting, but the examples I''ve seen > are based on only one interface. I''m not sure if that would work > across multiple interfaces. > > This network is quite critical, so I''m a bit afraid to be testing a > lot of rules in it without making sure that''s the right way to go. > > Thanks in advance. > > -- > MARLON DUTRA > Propus > GnuPG ID: 0x3E2060AC pgp.mit.edu > http://www.propus.com.br/ > http://hackers.propus.com.br/~marlon/ > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Linux Advocate wrote:>a firewall with 67 network interfaces.... wow does such a beast even >exist? soory but i m just so curious...i was always thinking that >the max numbers of interfaces will be about 6 ( 2 built in , 4 pci >slots ). hope you can enlighten us abt yr machine ... after yr solve >yr problem of course....Not hard, I have a box with 34 interfaces - 2 real, 32 VLAN. In this case it was built to allow a business centre to provide network services to it''s tenants (each with an RFC1918 subnet, natted from the internet connection), whilst keeping each tenant from peeking around other networks. On a large campus, much larger routers are very easy to get - distributing multiple subnets to specific locations via VLAN configurations in switches. At work we have such a campus (a science/technology park) under our control. Each customers gets a small subnet, and it is managed by one router with a VLAN per customer/subnet. Traffic is shoved around the campus by gigabit fibre networks and multiple switches, with each customer restricted to their own connection by the VLAN configuration of the port they are physically connected to. 67 ports would not be unreasonable for our network there - I don''t recall how many it actually has at the moment. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
On Tue, Jan 27, 2009 at 04:58:26AM -0800, Linux Advocate wrote:> a firewall with 67 network interfaces.... wow does such a beast even exist? soory but i m just so curious...i was always thinking that the max numbers of interfaces will be about 6 ( 2 built in , 4 pci slots ). hope you can enlighten us abt yr machine ... after yr solve yr problem of course.... >Well, quad interface cards are quite common, so that is at least 4 physcial interfaces possible for each PCI slot: http://www.newegg.com/Product/Product.aspx?Item=N82E16833106017 (Plus the same exists for RJ-45). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Linux Advocate wrote:> a firewall with 67 network interfaces.... wow does such a beast even exist? soory but i m just so curious...i was always thinking that the max numbers of interfaces will be about 6 ( 2 built in , 4 pci slots ). hope you can enlighten us abt yr machine ... after yr solve yr problem of course.... > >Actually this theoretically could be roughly about 4000*6 = 24000 interfaces :-) if you use vlans. Cheers Harry ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
thanx for the input. ----- Original Message ----> From: Roberto C. Sánchez <roberto@connexer.com> > To: shorewall-users@lists.sourceforge.net > Sent: Tuesday, January 27, 2009 10:08:23 PM > Subject: Re: [Shorewall-users] Grouping zones > > On Tue, Jan 27, 2009 at 04:58:26AM -0800, Linux Advocate wrote: > > a firewall with 67 network interfaces.... wow does such a beast even exist? > soory but i m just so curious...i was always thinking that the max numbers of > interfaces will be about 6 ( 2 built in , 4 pci slots ). hope you can enlighten > us abt yr machine ... after yr solve yr problem of course.... > > > > Well, quad interface cards are quite common, so that is at least 4 > physcial interfaces possible for each PCI slot: > > http://www.newegg.com/Product/Product.aspx?Item=N82E16833106017 > > (Plus the same exists for RJ-45). > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
i thought vlans could only be done by switches, not by shorewall. cant seem to find the doc page about vlan setup at the shorewall site. or is thevlan setup done in the OS and not thru shorewall? ----- Original Message ----> From: Harry Lachanas <grharry@freemail.gr> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Sent: Wednesday, January 28, 2009 12:45:05 PM > Subject: Re: [Shorewall-users] Grouping zones > > Linux Advocate wrote: > > a firewall with 67 network interfaces.... wow does such a beast even exist? > soory but i m just so curious...i was always thinking that the max numbers of > interfaces will be about 6 ( 2 built in , 4 pci slots ). hope you can enlighten > us abt yr machine ... after yr solve yr problem of course.... > > > > > > Actually this theoretically could be > roughly about 4000*6 = 24000 interfaces :-) > if you use vlans. > > Cheers > Harry > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Linux Advocate schrieb:> i thought vlans could only be done by switches, not by > shorewall. cant seem to find the doc page about vlan setup > at the shorewall site. or is the vlan setup done in the OS > and not thru shorewall?Exactly. Shorewall doesn''t care if an interface is physical or virtual. Why should it? And you don''t need an expensive switch/router to implement vlans, every linux/unix box does it. So I run shorewall with over 20 vlans connected through one cable to a cheap vlan-capable switch, distributing to the different network segments. Never had any trouble with it. Regards, Christian ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Linux Advocate wrote:>i thought vlans could only be done by switches, not by shorewall. >cant seem to find the doc page about vlan setup at the shorewall >site. or is thevlan setup done in the OS and not thru shorewall?The setup is done in the OS, for example, this is a snippet from a Debian /etc/network/interfaces file :>auto ethint >iface ethint inet static > address 10.1.1.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo "Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD" > /proc/net/vlan/config > > >auto vlan101 >iface vlan101 inet static > address 10.1.101.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter > up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter > > >auto vlan102 >iface vlan102 inet static > address 10.1.102.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/arp_filter > up echo 2 > /proc/sys/net/ipv4/conf/vlan102/arp_ignore > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/rp_filterThen for the Shorewall config. Interfaces :>net ethext detect >tcpflags,routefilter,nosmurfs,logmartians,arp_filter,arp_ignore=1 >tech ethint detect >tcpflags,detectnets,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2 >cust vlan+ detect tcpflags,nosmurfs,routeback,dhcpzones:>fw firewall >net ipv4 >tech ipv4 >cust ipv4and configure your policies and rules are required For this particular box, I configured the native ethint to be a ''tech'' subnet with things like the network switches and any shared services (eg DNS). One VLAN was allocated to each tenant, with DHCP DNS, etc all provided. Policies were set to block everything except cust->net, and then permit only those other connections (eg cust -> tech for DNS) required for things to work. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Hi, On Tue, Jan 27, 2009 at 8:58 AM, Linux Advocate <linuxhousedn@yahoo.com> wrote:> a firewall with 67 network interfaces.... wow does such a beast even > exist? soory but i m just so curious...i was always thinking that the > max numbers of interfaces will be about 6 ( 2 built in , 4 pci slots > ). hope you can enlighten us abt yr machine ... after yr solve yr > problem of course....It''s very common in large deployments when you use VLAN interfaces. Linux natively supports 802.1Q VLAN tagging, very common in every managed switch. To shorewall, it''s another interface, just like any other one. The kernel abstracts all that. -- MARLON DUTRA Propus GnuPG ID: 0x3E2060AC pgp.mit.edu http://www.propus.com.br/ http://hackers.propus.com.br/~marlon/ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
aimon, thanx. the switch though must still be vlan capable or even basic taiwanese switches will do? ----- Original Message ----> From: Simon Hobson <linux@thehobsons.co.uk> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Sent: Wednesday, January 28, 2009 5:52:56 PM > Subject: Re: [Shorewall-users] Grouping zones > > Linux Advocate wrote: > > >i thought vlans could only be done by switches, not by shorewall. > >cant seem to find the doc page about vlan setup at the shorewall > >site. or is thevlan setup done in the OS and not thru shorewall? > > The setup is done in the OS, for example, this is a snippet from a > Debian /etc/network/interfaces file : > > >auto ethint > >iface ethint inet static > > address 10.1.1.1 > > netmask 255.255.255.0 > > vlan_raw_device ethint > > up echo "Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD" > /proc/net/vlan/config > > > > > >auto vlan101 > >iface vlan101 inet static > > address 10.1.101.1 > > netmask 255.255.255.0 > > vlan_raw_device ethint > > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter > > up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore > > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter > > > > > >auto vlan102 > >iface vlan102 inet static > > address 10.1.102.1 > > netmask 255.255.255.0 > > vlan_raw_device ethint > > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/arp_filter > > up echo 2 > /proc/sys/net/ipv4/conf/vlan102/arp_ignore > > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/rp_filter > > > Then for the Shorewall config. > Interfaces : > >net ethext detect > >tcpflags,routefilter,nosmurfs,logmartians,arp_filter,arp_ignore=1 > >tech ethint detect > >tcpflags,detectnets,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2 > >cust vlan+ detect tcpflags,nosmurfs,routeback,dhcp > > zones: > >fw firewall > >net ipv4 > >tech ipv4 > >cust ipv4 > > and configure your policies and rules are required > > For this particular box, I configured the native ethint to be a > ''tech'' subnet with things like the network switches and any shared > services (eg DNS). One VLAN was allocated to each tenant, with DHCP > DNS, etc all provided. Policies were set to block everything except > cust->net, and then permit only those other connections (eg cust -> > tech for DNS) required for things to work. > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
sorry, thats simon not aimon ;)> > > aimon, thanx. > > the switch though must still be vlan capable or even basic taiwanese switches > will do? > > > > > Linux Advocate wrote: > > > > >i thought vlans could only be done by switches, not by shorewall. > > >cant seem to find the doc page about vlan setup at the shorewall > > >site. or is thevlan setup done in the OS and not thru shorewall? > > > > The setup is done in the OS, for example, this is a snippet from a > > Debian /etc/network/interfaces file : > > > > >auto ethint > > >iface ethint inet static > > > address 10.1.1.1 > > > netmask 255.255.255.0 > > > vlan_raw_device ethint > > > up echo "Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD" > > /proc/net/vlan/config > > > > > > > > >auto vlan101 > > >iface vlan101 inet static > > > address 10.1.101.1 > > > netmask 255.255.255.0 > > > vlan_raw_device ethint > > > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter > > > up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore > > > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter > > > > > > > > >auto vlan102 > > >iface vlan102 inet static > > > address 10.1.102.1 > > > netmask 255.255.255.0 > > > vlan_raw_device ethint > > > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/arp_filter > > > up echo 2 > /proc/sys/net/ipv4/conf/vlan102/arp_ignore > > > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/rp_filter > > > > > > Then for the Shorewall config. > > Interfaces : > > >net ethext detect > > >tcpflags,routefilter,nosmurfs,logmartians,arp_filter,arp_ignore=1 > > >tech ethint detect > > > >tcpflags,detectnets,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2 > > >cust vlan+ detect tcpflags,nosmurfs,routeback,dhcp > > > > zones: > > >fw firewall > > >net ipv4 > > >tech ipv4 > > >cust ipv4 > > > > and configure your policies and rules are required > > > > For this particular box, I configured the native ethint to be a > > ''tech'' subnet with things like the network switches and any shared > > services (eg DNS). One VLAN was allocated to each tenant, with DHCP > > DNS, etc all provided. Policies were set to block everything except > > cust->net, and then permit only those other connections (eg cust -> > > tech for DNS) required for things to work. > >------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Linux Advocate wrote:>the switch though must still be vlan capable or >even basic taiwanese switches will do?Yes, the switch itself must be VLAN capable - so that means your basic £20 jobs won''t do. However, you don''t have to spend a fortune to get into the lower end of capable switches. For example, the Netgear FS726T (http://netgear.com/Products/Switches/SmartSwitches/FS726T.aspx) can probably be found for £150, and will give you 24 10/100 ports and two 1G ports. Hook one of the gig ports to your router, the other to your server (if you have a separate server), setup your VLANs, and you can have a different network on each of the ports. As a practical example, if you splash out around £300 on the PoE version (http://netgear.com/Products/Switches/SmartSwitches/FS726TP.aspx) then you get 12 powered ports. Many VoIP phones support VLANs as well, so you can have up to 12 desk phones on one subnet (all powered from the switch), and a separate subnet on a separate VLAN for your data traffic. If you don''t want to be able to plug your computer into the back of the phone, then the phone doesn''t need to support VLANs*. Another use would be to have PoE wireless access points on a different network to your hardwired kit - thus allowing your to have an open wireless while keeping your network secure. With one switch though, you don''t really need VLANs (you can just use multiple network ports on the router) - where it REALLY comes into play is on larger installations. At work we have a site (a ''science park'' campus) that has an extensive fibre network. All the switches are fully managed, and the different subnets for customer connections are managed from a single router and distributed on their own VLANs - dozens of networks, all segregated, but passed down one cable. * You have a choice for each port on the switch. It can be ''untagged'' and belong to a single VLAN - that is just like a basic switch. Or it can be ''tagged'' and pass VLAN tagged packets - the device at the other end is then responsible for managing the VLANs it uses. So for a VLAN capable VoIP phone, you can set the switch port to tagged, and configure the phone to connect itself to one VLAN and bridge it''s PS port to another VLAN. A PC plugged into the back of the phone would then get connected to a different network to the phone - while only using the one cable. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
great info simon. thanx brother. ----- Original Message ----> From: Simon Hobson <linux@thehobsons.co.uk> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Sent: Saturday, February 7, 2009 6:18:13 PM > Subject: Re: [Shorewall-users] Grouping zones > > Linux Advocate wrote: > > >the switch though must still be vlan capable or > >even basic taiwanese switches will do? > > Yes, the switch itself must be VLAN capable - so > that means your basic £20 jobs won''t do. However, > you don''t have to spend a fortune to get into the > lower end of capable switches. > > > For example, the Netgear FS726T > (http://netgear.com/Products/Switches/SmartSwitches/FS726T.aspx) > can probably be found for £150, and will give you > 24 10/100 ports and two 1G ports. Hook one of the > gig ports to your router, the other to your > server (if you have a separate server), setup > your VLANs, and you can have a different network > on each of the ports. > > As a practical example, if you splash out around > £300 on the PoE version > (http://netgear.com/Products/Switches/SmartSwitches/FS726TP.aspx) > then you get 12 powered ports. Many VoIP phones > support VLANs as well, so you can have up to 12 > desk phones on one subnet (all powered from the > switch), and a separate subnet on a separate VLAN > for your data traffic. If you don''t want to be > able to plug your computer into the back of the > phone, then the phone doesn''t need to support > VLANs*. > Another use would be to have PoE wireless access > points on a different network to your hardwired > kit - thus allowing your to have an open wireless > while keeping your network secure. > > With one switch though, you don''t really need > VLANs (you can just use multiple network ports on > the router) - where it REALLY comes into play is > on larger installations. At work we have a site > (a ''science park'' campus) that has an extensive > fibre network. All the switches are fully > managed, and the different subnets for customer > connections are managed from a single router and > distributed on their own VLANs - dozens of > networks, all segregated, but passed down one > cable. > > > * You have a choice for each port on the switch. > It can be ''untagged'' and belong to a single VLAN > - that is just like a basic switch. Or it can be > ''tagged'' and pass VLAN tagged packets - the > device at the other end is then responsible for > managing the VLANs it uses. So for a VLAN capable > VoIP phone, you can set the switch port to > tagged, and configure the phone to connect itself > to one VLAN and bridge it''s PS port to another > VLAN. A PC plugged into the back of the phone > would then get connected to a different network > to the phone - while only using the one cable. > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills and code to > build responsive, highly engaging applications that combine the power of local > resources and data with the reach of the web. Download the Adobe AIR SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com