Hi, I have read the Getting starts but didn''t find the necessary information on how to setup a poorman''s shorewall with only one ethernet card. Using the alias feature, I can setup my internal subnet say 192.168.1.x where I also run a DNS and DHCP server for passing out 192.168.1.x address to the clients. The external ip(known to the public) is acquired by dhcp to the ISP. So all the machines(as well as the cable-modem) will be plugged into the same hub/switch. I know this is not recommended but I just can''t add another nic card to the firewall machine. With the proper setup of the dhclient.conf, I can force it to wait for the DHCP offer from the ISP instead of my own DHCP server so this part is working nicely. The next task is how to associate the external zone to the public ip and the local zone to the internal ip. I have found that I can link a zone to a particular host(ip) or subnet using the /etc/shorewall/hosts file which is almost all I needed(so far) if I understand it correctly. The only problem is that I need to first acquire the public ip and noted it then enter into the hosts file. In case my ISP changes the ip pass out to me, I have to redo this modification again. Is there a way to do it the following way : specify ''eth0'' as the ''net'' zone in the /etc/shorewall/interfaces file and eth0:192.168.1.1/24 in the /etc/shorewall/hosts file for the loc zone ? The comment in the interfaces hints that I should use ''-'' if an interface serve multiple zones and specify them in hosts. It is effectively saying ''consider eth0(probably all the alias it has as well) as one zone specified in the interfaces file BUT if there is an exception found in hosts, then exclude that out from this zone and treat that as zone specified in hosts''. If it can be done, that is nice otherwise, I need to find out how to automate the changes triggered by change of external ip. thanks. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Tom Eastep
2003-Oct-09 18:28 UTC
[Shorewall-users] poorman''s firewall with single interface
rOn Thu, 9 Oct 2003, gary ng wrote:> Hi, > > I have read the Getting starts but didn''t find the > necessary information on how to setup a poorman''s > shorewall with only one ethernet card. >Gary -- check the archives. I''ve described how to do this a couple of times. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net