Dear all, I''ve got a problem, my shorewall configuration: #ifconfig: eth0: 202.158.x.y (net) eth1: 192.168.1.1 (local) eth2: 202.158.x.z (dmz) /etc/shorewall/rules: ACCEPT pcwars net tcp - ACCEPT pcwars dmz tcp www,ftp,smtp DROP loc net - - /etc/shorewall/interfaces: net eth0 - eth1 192.168.1.255 dmz eth2 /etc/shorewall/zones: loc Local Local Networks net Internet Internet dmz DMZ Demilitarized zone pcwars wars PC Wars /etc/shorewall/hosts: pcwars eth1:192.168.1.42 /etc/shorewall/masq: eth0 192.168.1.0/24 202.158.x.y /etc/shorewall/policy: fw net accept net dmz accept net all drop info all all reject info my questions: I want a host(pcwars) connected to internet all services and from loc to internet dropped, but it''s not working? if I change in my rules file become: ACCEPT loc net tcp - it''s working! but all pc on local networks could access to internet :-( help me...please... -- Best regards, Warsono
On Fri, 23 May 2003 07:36:56 +0700, Warsono <warsono@astra-agro.co.id> wrote:> /etc/shorewall/zones: > loc Local Local Networks > net Internet Internet > dmz DMZ Demilitarized zone > pcwars wars PC Wars >Move ''pcwars'' to the top of the file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Dear Tom, Thank''s tom, now it''s work! my question again ;-) 1. how many hosts names in file zones/hosts could registered? could I put more than 100 ip addresses in hosts+zones file? 2. does shorewall support grouping hosts in rules? for example: ACCEPT group_hosts net tcp www,ftp,domain,pop3,smtp - Thank you. Friday, May 23, 2003, 7:40:06 AM, you wrote: TE> On Fri, 23 May 2003 07:36:56 +0700, Warsono <warsono@astra-agro.co.id> TE> wrote:>> /etc/shorewall/zones: >> loc Local Local Networks >> net Internet Internet >> dmz DMZ Demilitarized zone >> pcwars wars PC Wars >>TE> Move ''pcwars'' to the top of the file. -- Best regards, Warsono
On Fri, 23 May 2003 08:32:18 +0700, Warsono <warsono@astra-agro.co.id> wrote:> Dear Tom, > Thank''s tom, now it''s work! > my question again ;-) > 1. how many hosts names in file zones/hosts could registered? could I put > more than 100 ip addresses in hosts+zones file?Yes although it would be slow both in starting Shorewall and at runtime. If you wanted to put a number of hosts in one zone, you can reduce the overhead by using subnets. For example, if you wanted 192.168.1.0 - 192.168.1.25, you would have just three entries rather than 25: 192.168.1.0/28 192.168.1.16/29 192.168.1.25> 2. does shorewall support grouping hosts in rules? for example: > ACCEPT group_hosts net tcp www,ftp,domain,pop3,smtp - >The ''group_hosts'' must be defined as a zone -- that is the only grouping of hosts supported by Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net