Thomas Fricke wrote:> Hi Thomas,
Hi Thomas,
In the future, please sent this type of query to the Shorewall
Development list. I''ve copied the list on my reply.
>
> For a research project, I am playing around with vlans and your
> firewall. I want to build an enterprise firewall for ISP hosting,
> where customers network are framed into VLans.
>
> The demand is to add and remove VLan rules on demand. The z0001-z4094
> zones shall not be connected to eachother, but only to the net zone
>
> My solution was to add a zone per vlan.
That is a poor approach. The O(n**2) nature of the zone/policy/rule
model makes it scale poorly when a large number of networks are involved
(see http://www.shorewall.net/ScalabilityAndPerformance.html).
> This works great, however,
> with the maximum number of ~4094. The perl setup died because of
> memory problems, which was not unexptected.
>
> Analysing the reason I had a look into
> /var/lib/shorewall/.iptables-restore-input, and I found
> N^2 lines like
>
> -A eth1_10_fwd -o eth1.1 -j all2alll
>
> which kills perl after a while.
You might be able to avoid that through use of OPTIMIZE=1 and careful
ordering of the zones in /etc/shorewall/zones.
> Probably this is enough to fix the problem. If you find the time to
> think about it, I would be interested in your solution.
a) Define three zones (fw, net, cust).
b) Place this in /etc/shorewall/interfaces:
net eth0
cust eth1.+
c) Place this in /etc/shorewall/policy:
cust cust REJECT
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/