Hi, When I started setting up internet and network attached linux boxes I used=20 eth0 as the the network device and eth1 or ipppXX of the internet side. My logic behind this is that the local interface is "allways" there (and so=20 has to be eth0). Shorewall (and also some other packages) use eth1 as the local interface.=20 Does anyone have an explanation for this? I know that it doesn=B4t make a difference which device I use. But it still=20 confuses me ;-))))) Sascha -------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany Leo +49-8151-773261 WGS84: N57=B059''52.4" E11=B020''34.3" knific@k-sysdes.net http://www.k-sysdes.net
On 2002.03.15 08:20 Sascha Knific wrote:> Hi, > > When I started setting up internet and network attached linux boxes > I used eth0 as the the network device and eth1 or ipppXX of the > internet side. > My logic behind this is that the local interface is "allways" there > (and so has to be eth0). > > Shorewall (and also some other packages) use eth1 as the local > interface. Does anyone have an explanation for this? > > I know that it doesn´t make a difference which device I use. But it > still confuses me ;-))))) >eth0 = outside (0 kinda looks like o) eth1 = inside (1 kinda looks like i) That''s the logic I''ve always used. -- =================Eric Dexter =================Linux - Because rebooting is for adding new hardware!
Sascha, The convention you mention WRT Shorewall only appears in the parameterized samples (where the default external interface is eth0). The only reason that it''s that way is that I personally have always set up my own firewalls that way. No other reason (and it''s trivial for the user to change it). -Tom ----- Original Message ----- From: "Sascha Knific" <knific@k-sysdes.net> To: <shorewall-users@shorewall.net> Sent: Friday, March 15, 2002 6:20 AM Subject: [Shorewall-users] A Philosophic Question Hi, When I started setting up internet and network attached linux boxes I used eth0 as the the network device and eth1 or ipppXX of the internet side. My logic behind this is that the local interface is "allways" there (and so has to be eth0). Shorewall (and also some other packages) use eth1 as the local interface. Does anyone have an explanation for this? I know that it doesn´t make a difference which device I use. But it still confuses me ;-))))) Sascha -------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany Leo +49-8151-773261 WGS84: N57°59''52.4" E11°20''34.3" knific@k-sysdes.net http://www.k-sysdes.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
At 07:11 15.03.2002 -0800, you wrote:>The only reason that >it''s that way is that I personally have always set up my own firewalls that >way. > >No other reasonSo the question is philosophic and the answer as well ;-))>(and it''s trivial for the user to change it).I know. That=B4s on of a thousend reasons why shorewall is my favorit! Thanks you all for your opinion! Sascha -------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany Leo +49-8151-773261 WGS84: N57=B059''52.4" E11=B020''34.3" knific@k-sysdes.net http://www.k-sysdes.net
Sascha Knific wrote:> Hi, > > When I started setting up internet and network attached linux boxes I used > eth0 as the the network device and eth1 or ipppXX of the internet side. > My logic behind this is that the local interface is "allways" there (and so > has to be eth0).I''m not sure, but i think that eth0/eth1/... is determined by when the card is installed (at least on Red Hat). My /etc/modules.conf says this: alias eth0 8139too So the local network is not necessarily always eth0. (However, i do think your logic is sensible.)> Shorewall (and also some other packages) use eth1 as the local interface. > Does anyone have an explanation for this? > > I know that it doesn´t make a difference which device I use. But it still > confuses me ;-)))))Personally, i don''t use the parameterized examples, so i never even noticed shorewall''s "default". Personally, i think it''s so easy to create policies, rules, and interfaces that the only thing i use the params file for is for shortcuts to IP addresses (e.g. SMTP=192.168.200.1 so that can just say $SMTP in the rules file). As a general rule, i think that the parameterized examples are counterproductive. They don''t encourage newbies to understand all the config files. (Tom, one day you''re going to start agreeing with me. :-) Paul http://paulgear.webhop.net P.S. Tom, i''ve just sent you a patch (against 1.2.9) for case-insensitive yes/no/on/off variables. I haven''t tested it, but it passes ''bash -n firewall'' OK. I think i''ve found all the case statements where ''yes/no/off/on'' is expected. Ever thought about porting this to Perl? It would probably run a lot faster (although startup overhead would probably be significant on low-end systems) and be more maintainable.
----- Original Message ----- From: "Paul Gear" <paulgear@yahoo.com> To: <shorewall-users@shorewall.net> Sent: Friday, March 15, 2002 1:10 PM Subject: Re: [Shorewall-users] A Philosophic Question> > As a general rule, i think that the parameterized examples are > counterproductive. They don''t encourage newbies to understand all theconfig> files. (Tom, one day you''re going to start agreeing with me. :-)Oh, I agree with you already! I was persuaded by another user to provide them -- you notice that I don''t put much energy behind enhancing and maintaining them :-)> P.S. Tom, i''ve just sent you a patch (against 1.2.9) for case-insensitive > yes/no/on/off variables. I haven''t tested it, but it passes ''bash -n > firewall'' OK. I think i''ve found all the case statements where > ''yes/no/off/on'' is expected. Ever thought about porting this to Perl? It > would probably run a lot faster (although startup overhead would probablybe> significant on low-end systems) and be more maintainable.If I port it to another language, it will probably be Python. The problem with either Perl or Python is that Shorewall runs on LEAF and LEAF configurations are usually very disk-space constrained (often one or two 3.5in floppies). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--- Paul Gear <paulgear@yahoo.com> wrote: [ ... ]> Ever thought about > porting this to Perl? It > would probably run a lot faster (although startup > overhead would probably be > significant on low-end systems) and be more > maintainable. >I know this probably isn''t very high on Tom''s list of things to do, but I would like to second this motion. Eric __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/
> > P.S. Tom, i''ve just sent you a patch (against 1.2.9) for case-insensitive > > yes/no/on/off variables. I haven''t tested it, but it passes ''bash -n > > firewall'' OK. I think i''ve found all the case statements where > > ''yes/no/off/on'' is expected. Ever thought about porting this to Perl? It > > would probably run a lot faster (although startup overhead would probably > be > > significant on low-end systems) and be more maintainable. > > If I port it to another language, it will probably be Python. The problem > with either Perl or Python is that Shorewall runs on LEAF and LEAF > configurations are usually very disk-space constrained (often one or two > 3.5in floppies). >I fully agree with Tom''s remark. On a floppy based router like LEAF "Bering" bash is not even provided in the standard distro and we have to live with ash. Shorewall is just running wonderfully in this kind of environment. The move to PERL or PYTHON would make it unfeasable on a floppy Jacques http://leaf.sourceforge.net/devel/jnilo
A Python version would be great, but I also like LEAF! -- Sincerely, David Smead http://www.amplepower.com. On Fri, 15 Mar 2002, Tom Eastep wrote:> > ----- Original Message ----- > From: "Paul Gear" <paulgear@yahoo.com> > To: <shorewall-users@shorewall.net> > Sent: Friday, March 15, 2002 1:10 PM > Subject: Re: [Shorewall-users] A Philosophic Question > > > > > > As a general rule, i think that the parameterized examples are > > counterproductive. They don''t encourage newbies to understand all the > config > > files. (Tom, one day you''re going to start agreeing with me. :-) > > Oh, I agree with you already! I was persuaded by another user to provide > them -- you notice that I don''t put much energy behind enhancing and > maintaining them :-) > > > P.S. Tom, i''ve just sent you a patch (against 1.2.9) for case-insensitive > > yes/no/on/off variables. I haven''t tested it, but it passes ''bash -n > > firewall'' OK. I think i''ve found all the case statements where > > ''yes/no/off/on'' is expected. Ever thought about porting this to Perl? It > > would probably run a lot faster (although startup overhead would probably > be > > significant on low-end systems) and be more maintainable. > > If I port it to another language, it will probably be Python. The problem > with either Perl or Python is that Shorewall runs on LEAF and LEAF > configurations are usually very disk-space constrained (often one or two > 3.5in floppies). > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Tom Eastep wrote:> ... > > As a general rule, i think that the parameterized examples are > > counterproductive. They don''t encourage newbies to understand all the > config > > files. (Tom, one day you''re going to start agreeing with me. :-) > > Oh, I agree with you already! I was persuaded by another user to provide > them -- you notice that I don''t put much energy behind enhancing and > maintaining them :-)Perhaps they need a bigger disclaimer, or a notice that they are unsupported.> > Ever thought about porting this to Perl? It > > would probably run a lot faster (although startup overhead would probably > be > > significant on low-end systems) and be more maintainable. > > If I port it to another language, it will probably be Python.Aargh! Anything but that!> The problem > with either Perl or Python is that Shorewall runs on LEAF and LEAF > configurations are usually very disk-space constrained (often one or two > 3.5in floppies).Fair enough. Forget i asked - i''ll shut up now. Anything to keep you from using Python. :-) Paul http://paulgear.webhop.net