Hi, I''ve got a question about how to configure the shorewall, and maybe someone could answer. I have a PC with 3 ethernet. The eth0 connets to internet. The eth1 connects to LAN A, and the eth2 connects to LAN B. I''ve configured the shorewall for doing NAT, and both LANs can navigate, but it seems that from a LAN A host you can connect to a PC of LAN B, and the other way round. I''d like the LAN couldn''t communicate. Is it possible? Regards and thank you. -- ____________________________________________________________________ Sergio Navarro i Fajardo snavarro@ctv.es -- sergio.navarro@uv.es GnuPG-Public-Key: 0x24E340FF Alginet / Valencia / Spain
--On Tuesday, January 21, 2003 9:26 PM +0100 Sergio Navarro i Fajardo <snf@apdo.com> wrote:> Hi, > > I''ve got a question about how to configure the shorewall, and maybe > someone could answer. > > I have a PC with 3 ethernet. The eth0 connets to internet. The eth1 > connects to LAN A, and the eth2 connects to LAN B. I''ve configured > the shorewall for doing NAT, and both LANs can navigate, but it seems > that from a LAN A host you can connect to a PC of LAN B, and the > other way round. I''d like the LAN couldn''t communicate. > > Is it possible?Sure - and if you would have followed the instructions at http://www.shorewall.net/three-interface.htm then you wouldn''t be having this problem now. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, January 21, 2003 12:30 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Tuesday, January 21, 2003 9:26 PM +0100 Sergio Navarro i Fajardo > <snf@apdo.com> wrote: > >> Hi, >> >> I''ve got a question about how to configure the shorewall, and maybe >> someone could answer. >> >> I have a PC with 3 ethernet. The eth0 connets to internet. The eth1 >> connects to LAN A, and the eth2 connects to LAN B. I''ve configured >> the shorewall for doing NAT, and both LANs can navigate, but it seems >> that from a LAN A host you can connect to a PC of LAN B, and the >> other way round. I''d like the LAN couldn''t communicate. >> >> Is it possible? > > Sure - and if you would have followed the instructions at > http://www.shorewall.net/three-interface.htm then you wouldn''t be having > this problem now.Let me elaborate a bit further. While the three-interface QuickStart guide calls the second local zone a "DMZ", it is really just a second local zone that is identified by the three letters "d" "m" "z". To make the three-interface sample into a two local-zone setup: a) add the policy "dmz net ACCEPT" b) add "<external if> <dmz if>" to /etc/shorewall/masq. You will now have a configuration where both local zones can access the internet but neither can access each other. You might also want to add rules for accessing the fw via ssh from the "dmz", etc. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, January 21, 2003 12:39 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> b) add "<external if> <dmz if>" to /etc/shorewall/masq.Doh -- skip that. That line is already in the /etc/shorewall/masq file that is included in the three-interface sample. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom beat me again :) (and again while I was writing this...) To expand on his answer a little: Shorewall blocks everything unless a policy or rule explicitly says to accept it. If traffic is allowed that you don''t want to be allowed, it''s because you have a policy or rule that explicitly allows it--probably something like "LanA all ACCEPT". Like Tom said, go back and read the documentation until you get the concepts. If you still have problems, please post your specific configuration with your question. Include at least the zones, rules, and policy files (and probably the interfaces file too). There''s not a whole lot we can do with a general question like "is this possible?", although Tom does go to extraordinary lengths to figure out what you really meant. - Bradey -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, January 21, 2003 12:31 PM To: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Two diferent LAN''s... --On Tuesday, January 21, 2003 9:26 PM +0100 Sergio Navarro i Fajardo <snf@apdo.com> wrote:> Hi, > > I''ve got a question about how to configure the shorewall, and maybe > someone could answer. > > I have a PC with 3 ethernet. The eth0 connets to internet. The eth1 > connects to LAN A, and the eth2 connects to LAN B. I''ve configured > the shorewall for doing NAT, and both LANs can navigate, but it seems > that from a LAN A host you can connect to a PC of LAN B, and the > other way round. I''d like the LAN couldn''t communicate. > > Is it possible?Sure - and if you would have followed the instructions at http://www.shorewall.net/three-interface.htm then you wouldn''t be having this problem now. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users