Suppose I have a /24 RFC1918 net as my LOC-zone. Suppose one host on that net (192.168.221.11) is beyond my control, the system in question should only be able to talk to .22 .23 .24 and .3 Can I somehow but that host on its own physical Ethernet interface, and somehow filter the traffic, without having to do any changes to the .11-system? (Running 1.3.14stable-2, I could upgrade if that should be necessary)
On Fri, 30 May 2003 16:43:35 +0200, Jan Johansson <jan.johansson@nwl.se> wrote:> Suppose I have a /24 RFC1918 net as my LOC-zone. > > Suppose one host on that net (192.168.221.11) is beyond my control, the > system in question should only be able to talk to .22 .23 .24 and .3 > > Can I somehow but that host on its own physical Ethernet interface, and > somehow filter the traffic, without having to do any changes to the > .11-system? > > (Running 1.3.14stable-2, I could upgrade if that should be necessary)Maybe -- you can use Proxy ARP provided that .11 doesn''t require broadcast to from the rest of the /24. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> Maybe -- you can use Proxy ARP provided that .11 doesn''t require broadcast > to from the rest of the /24.Well, AFAIK there is only FTP traffic that i _want_ to bridge. Uhm, can''t i do a "two way" proxy arp, and arp the other two hosts on the "other" interface? Or am i just plain dumb? So, the _real_ solution is to move the .11 to a different subnet and route?
On Fri, 30 May 2003 20:02:50 +0200, Jan Johansson <j2@mupp.net> wrote:>> Maybe -- you can use Proxy ARP provided that .11 doesn''t require >> broadcast >> to from the rest of the /24. > > Well, AFAIK there is only FTP traffic that i _want_ to bridge. > > Uhm, can''t i do a "two way" proxy arp, and arp the other two hosts on the > "other" interface? Or am i just plain dumb?You can set the ''proxyarp'' option on both interfaces in /etc/shorewall/interfaces (not dumb at all).> > So, the _real_ solution is to move the .11 to a different subnet and > route? >You will be routing either way -- there is no way to do layer 2 bridging with Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> You can set the ''proxyarp'' option on both interfaces in > /etc/shorewall/interfaces (not dumb at all).So, if i have the .11 on eth3 and the rest on eth1 i would do this with proxyarp? #ADDRESS INTERFACE EXTERNAL HAVEROUTE 213.212.33.20 eth2 eth0 no 213.212.33.22 eth2 eth0 no 213.212.33.23 eth2 eth0 no 192.168.221.11 eth3 eth1 no 192.168.221.22 eth1 eth3 no 192.168.221.23 eth1 eth3 no 192.168.221.24 eth1 eth3 no 192.168.221.3 eth1 eth3 no> You will be routing either way -- there is no way to do layer 2 bridging > with Shorewall.uhm, how right you are, guess my thinking cap wasnt on :)
On Sun, 1 Jun 2003 18:11:28 +0200, j2 <spamfilter2@mupp.net> wrote:>> You can set the ''proxyarp'' option on both interfaces in >> /etc/shorewall/interfaces (not dumb at all). > > So, if i have the .11 on eth3 and the rest on eth1 i would do this with > proxyarp? > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > 213.212.33.20 eth2 eth0 no > 213.212.33.22 eth2 eth0 no > 213.212.33.23 eth2 eth0 no > 192.168.221.11 eth3 eth1 no > 192.168.221.22 eth1 eth3 no > 192.168.221.23 eth1 eth3 no > 192.168.221.24 eth1 eth3 no > 192.168.221.3 eth1 eth3 noAll you need is: 192.168.221.11 eth3 eth1 no -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> You can set the ''proxyarp'' option on both interfaces in > /etc/shorewall/interfaces (not dumb at all).Wait, what proxyarp option? I didnt think i need to use that? #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,tcpflags loc eth1 detect dmz eth2 detect dmb eth3 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
On Sun, 1 Jun 2003 18:14:21 +0200, j2 <spamfilter2@mupp.net> wrote:>> You can set the ''proxyarp'' option on both interfaces in >> /etc/shorewall/interfaces (not dumb at all). > > Wait, what proxyarp option? I didnt think i need to use that? > > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect norfc1918,tcpflags > loc eth1 detect > dmz eth2 detect > dmb eth3 detect > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >You were asking about "proxy arping both ways" -- that''s one way of doing it although that is usually only done when you are dealing with entire (sub)networks rather than -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 01 Jun 2003 09:18:15 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > You were asking about "proxy arping both ways" -- that''s one way of doing > it although that is usually only done when you are dealing with entire > (sub)networks rather than >... a single host (hit the send button too quickly). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > You were asking about "proxy arping both ways" -- that''s one way ofdoing> > it although that is usually only done when you are dealing with entire > > (sub)networks rather than > > > > ... a single host (hit the send button too quickly).Well, if it works, and have no adverse effects, i think ill "stick to what i know/have done before" Thanks for the help.. Now all i need is a good Quad NIC.