Hi All, I have a quick question, probably more a router issue, but seeing as I use shorewall I though I would the list.. I currently use shorewall to route my internal lan to the internet, but I will shortly be receiving 8 ''real'' ips. Therefore, my question being, can shorewall then route external IP 1, 2, 3, 4, 5 from ppp0 (or eth0) to the appropriate machine(s) on the internal LAN via eth1. And, if so, I take it it can act as a firewall over the muliple ip''s. Probably very simple, but my head gets achey when thinking about multiple IP''s over the one ethernet interface, well ok two interfaces, but you know what I mean. The current connection ''in'' to the router is via a speedtouch usb adsl modem, but im grabbing a router asap (any reccomendations?) Thanks for your ideas Rgds Andy
At 9:38 AM +0100 4/21/02, Andy wrote:>Hi All, > > I have a quick question, probably more a router issue, but seeing as I use >shorewall I though I would the list.. > > I currently use shorewall to route my internal lan to the internet, but I >will shortly be receiving 8 ''real'' ips. > > Therefore, my question being, can shorewall then route external IP 1, 2, >3, 4, 5 from ppp0 (or eth0) to the appropriate machine(s) on the internal >LAN via > eth1. >[[snip]] I think that this is proxy arp. I believe that there is an example in the documentation. -- _ /~\ The ASCII | Glenn Henshaw \ / Ribbon Campaign | Ottawa, Canada X Against HTML | Play: thraxisp@igs.net / \ Email! | Work: ghenshaw@altera.com
On Sun, 21 Apr 2002, Andy wrote:> Hi All, > > I have a quick question, probably more a router issue, but seeing as I use > shorewall I though I would the list.. > > I currently use shorewall to route my internal lan to the internet, but I > will shortly be receiving 8 ''real'' ips. > > Therefore, my question being, can shorewall then route external IP 1, 2, > 3, 4, 5 from ppp0 (or eth0) to the appropriate machine(s) on the internal > LAN via > eth1.Yes.> And, if so, I take it it can act as a firewall over the muliple ip''s. >Yes.> Probably very simple, but my head gets achey when thinking about multiple > IP''s over the one ethernet interface, well ok two interfaces, but > you know what I mean. >It will depend on how your ISP is going to handle your 8 addresses. If they are going to be treated as a /29 subnet then you can''t use the first and last address :-(. You would define your firewall with the second address as the IP FOR BOTH INTERFACES then specify a subnet mask of 255.255.255.248 on eth1 (and probably 255.255.255.0 on eth1). In this case, your /etc/shorewall/masq, /etc/shorewall/nat and /etc/shorewall/proxyarp should all be empty. If your ISP is just going to give you 8 IP addresses out of a larger subnet then you can use all 8 addresses and you will want to use Proxy ARP. See the Documentation and ask for help if you can''t figure it out.> The current connection ''in'' to the router is via a speedtouch usb adsl > modem, but im grabbing a router asap (any reccomendations?) >Sure -- use your Linux box; you don''t need any more router than that. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
hi, me is new to shorewall the blacklist-function is great but is there the possiblity of a "whitelist" ? for trusted hosts for example? a file called whitelist would be great, because the number of hosts i trust is less than all the possible "bad" ip´s ... ;) hope this helpfull and thx in advance alex
On Mon, 22 Apr 2002, alexander ziegelmaier wrote:> hi, > > me is new to shorewall > > the blacklist-function is great > but is there the possiblity of a "whitelist" ? > for trusted hosts for example? > > a file called whitelist would be great, because the number of hosts i trust > is less > than all the possible "bad" ip=B4s ... > > > ;) > hope this helpfull > and thx in advance >You can already to what you want using a zone for trusted hosts or just using rules. Lots of people seem to want this though so I''ll consider it. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net