Ken,
On Wednesday 30 January 2002 04:42 pm, Kenneth Porter
wrote:> I''m looking for something to help me migrate a working ipchains
firewall
> to iptables and I just finished reading the shorewall documentation on
> the web. It looks promising, but I have some questions about how my own
> topology fits into the shorewall framework.
>
> 1) I have two external network interfaces to different ISP''s, and
use
> static routing to divert some traffic to the "backup" ISP. I want
the
> rule sets for the two interfaces to otherwise be identical. Any special
> consideration here?
Just don''t express your rules in terms of the external interface.
>
> 2) I have one internal interface (eth0) with an alias (eth0:0). My LAN
> is in the middle of a renumbering, so the gateway doubles as an internal
> router between the two netblocks represented by these two interfaces.
> Does shorewall understand an interface alias?
No, and neither does iptables.
> Do I just treat it like a normal interface?
I would specify "mutli" on eth0 and have an ACCEPT policy for
loc->loc.
>
> 3) I have a VPN box on the LAN that connects to about a dozen other
> company sites, each with a different private netblock. The gateway
> routes traffic between the two internal netblocks and the various WAN
> netblocks by directing such traffic to the VPN box. Would I declare a
> zone that includes all the WAN netblocks? (I''m thinking each
netblock
> needs its own zone, but it would be more convenient to declare them all
> as members of one zone, as they get the same rules.)
If you follow my recommendation in 2), you don''t have to do anything
else=2E
-Tom
--=20
Tom Eastep \ A Firewall for Linux 2.4.*
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net