Stephen Felisan
2003-May-03 16:48 UTC
[Shorewall-users] One interace with Local zone & Internet zone?
I''m running Shorewall 1.4.2 on (Linux) box with only one (eth0)
interface. This interface is connected to a switch which is connected to
a DSL router. I''ve got two other (Windows) machines with public IP
addresses connected to the same switch.
I''d like to create a "local" zone in which I can define
special
policy/rules. Obviously, became of my network topology, this zone would
be a subset of the Internet ("net" on eth0) zone I''ve already
defined.
I''ve read in the Shorewall Reference Manual that I "probably
DON''T want
to specify any hosts for my internet zone since the hosts that I specify
will be the only ones that you will be able to access". What is the best
way to accomplish what I want to do?
Stephen
Tom Eastep
2003-May-03 20:46 UTC
[Shorewall-users] One interace with Local zone & Internet zone?
On Sat, 3 May 2003 16:47:38 -0700, Stephen Felisan <stephen@felisan.com> wrote:> I''m running Shorewall 1.4.2 on (Linux) box with only one (eth0) > interface. This interface is connected to a switch which is connected to > a DSL router. I''ve got two other (Windows) machines with public IP > addresses connected to the same switch. > I''d like to create a "local" zone in which I can define special > policy/rules. Obviously, became of my network topology, this zone would > be a subset of the Internet ("net" on eth0) zone I''ve already defined. > I''ve read in the Shorewall Reference Manual that I "probably DON''T want > to specify any hosts for my internet zone since the hosts that I specify > will be the only ones that you will be able to access". What is the best > way to accomplish what I want to do?The BEST way is to buy a cross-over cable and another NIC. The second best way is to define the loc zone using the hosts file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-04 17:01 UTC
[Shorewall-users] One interace with Local zone & Internet zone?
On Sun, 4 May 2003 16:54:40 -0700, Stephen Felisan <stephen@felisan.com> wrote:> Tom, > > Thanks for the quick reply. I''d rather not have to deal with putting > another Ethernet card in (and if I do, I don''t think I''ll need a > cross-over cable -- I can use a regular 10Base-T cable straight into my > switch, no?). Regarding your second suggestion, I DID try to define a > "loc" zone in my hosts file (I also created a "work" zone too), but > things didn''t seem to work -- namely, from my (fw) Linux box, I wasn''t > able to go to the "net" using a browser, ping, etc. I figured it had > something to do with overlapping zones (I had read something in the > manual about using the CONTINUE rule and I tried it, but it still didn''t > work). >Well, you have my sympathy but that''s about all you are going to get from reports that say "I tried X and Y and neither worked". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-04 17:19 UTC
[Shorewall-users] One interace with Local zone & Internet zone?
On Sun, 4 May 2003, Tom Eastep wrote:> On Sun, 4 May 2003 16:54:40 -0700, Stephen Felisan <stephen@felisan.com> > wrote: > > > Thanks for the quick reply. I''d rather not have to deal with putting > > another Ethernet card in (and if I do, I don''t think I''ll need a > > cross-over cable -- I can use a regular 10Base-T cable straight into my > > switch, no?). Regarding your second suggestion, I DID try to define a > > "loc" zone in my hosts file (I also created a "work" zone too), but > > things didn''t seem to work -- namely, from my (fw) Linux box, I wasn''t > > able to go to the "net" using a browser, ping, etc. I figured it had > > something to do with overlapping zones (I had read something in the > > manual about using the CONTINUE rule and I tried it, but it still didn''t > > work). > > > > Well, you have my sympathy but that''s about all you are going to get from > reports that say "I tried X and Y and neither worked". >The only obvious thing to mention with nested zones is that the order that the zones appear in /etc/shorewall/zones determines which zone''s rules get processed first. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-05 06:43 UTC
[Shorewall-users] One interace with Local zone & Internet zone?
On Sun, 4 May 2003 22:19:41 -0700, Stephen Felisan <stephen@felisan.com> wrote:> Sorry -- I knew better than to not include specifics. I''ll give the > nested zone thing another try now that I know that it''s "legal" to do > this with only one interface (this instructions I read lead me to > believe that nesting may only be applicable when it is occurring on the > non-"net" interface).Once again -- Shorewall itself doesn''t have any concept of ''Internet'' or ''Local'' interfaces. Shorewall attaches no meaning to the names assigned to zones and the only zone with any special semantics is the $FW zone that refers to the firewall itself.> I''ll give it another crack later this week. Thanks > again and for this great work.Keep us advised of your progress. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net