Shorewall users - Feb 2004 - Some IP''s on one zone, rest on another

Hi,

I''m trying to use Shorewall, and essentially, what I want is for *all*
IP''s
on one interface to be in the ''loc'' zone, and the rest to be
in the ''net''
zone.

I tried net: eth0:0.0.0/32 as the last line in hosts, after putting the
relevant lines in above it, but it doesn''t appear to work?

I''m not a list subscriber, so if you could CC a reply to me..

Thanks,

Ben

On Saturday 07 February 2004 08:38 am, Ben Wheare wrote:
> Hi,
>
> I''m trying to use Shorewall, and essentially, what I want is for
*all* IP''s
> on one interface to be in the ''loc'' zone, and the rest to
be in the ''net''
> zone.
>
> I tried net: eth0:0.0.0/32 as the last line in hosts, after putting the
> relevant lines in above it, but it doesn''t appear to work?
>
> I''m not a list subscriber, so if you could CC a reply to me..
This topic is covered under the topic "Routing on one Interface" in
the
Shorewall documentation on http://www.shorewall.net.

The key to making a "one-armed" router (never call it a firewall) work
is to
define ''loc'' before ''net'' in
/etc/shorewall/zones.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Saturday 07 February 2004 09:01 am, Ben Wheare wrote:
> Thanks, I made a mistake in my original post tho:
>
> Basically, I have eth0.
> I want *all* IP''s on that to be in the ''net''
zone, with the exception of a
> few, who are in the ''loc'' zone...
>
> The Routing on One Interface stuff has it on how to have different zones,
> but not all except XXX in ''net'' zone, as far as I can
see?
>
Yes, I know -- Shorewall doesn''t have any concept of local, net, DMZ
...; all
zones are the same as far as Shorewall is concerned (except the zone named in 
$FW) so the section entitled ''Some Hosts have Special Firewalling 
Requirements'' is exactly what you want  (except that it is up to you to
change the names).

Nevertheless, I have updated the documentation at 
http://shorewall.net/Multiple_Zones.html to cover your specific case.

Again, don''t call this a firewall and if you get hacked, don''t
blame Shorewall
-- The Shorewall box is nothing but a router in this configuration and it 
provides no security for your local network against attackers in your 
immediate public network (for example, if you connect to the internet via 
cable modem, your next door neighbor has full access to your local systems as 
does everyone else connected to the same head-end router).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net