I''ve created a new document that discusses creating multiple zones accessed through a single firewall interface. See: http://shorewall.net/shorewall_quickstart_guide.htm Comments and corrections are welcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 9 Nov 2003, Tom Eastep wrote:> I''ve created a new document that discusses creating multiple zones > accessed through a single firewall interface. > > See: http://shorewall.net/shorewall_quickstart_guide.htm >There''s a link from that page -- the page itself is at: http://shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> http://shorewall.net/Multiple_Zones.html >Looks very good Tom. Small note on the interfaces in the router example - if option routefilter is used you''ll end up in trouble by eliminating the 192.168.2.0/24 traffic correct? Maybe minor but I''m sure someone will get caught on it (as your signature constantly refers). Thanks again for the great product. Daniel Black - -- Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x32A64DC8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/r4/DTDSbtjKmTcgRAjg4AJ0dlCWtg+qcomq4UpPklSbqyNDRAQCcDKhV YsyVdv/vs/7i4BriShzAT3A=Buy2 -----END PGP SIGNATURE-----
On Mon, 10 Nov 2003, Daniel wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > http://shorewall.net/Multiple_Zones.html > > > > Looks very good Tom. > > Small note on the interfaces in the router example - if option routefilter is > used you''ll end up in trouble by eliminating the 192.168.2.0/24 traffic > correct?No. Since the firewall has a route to 192.168.2.0/24 via eth1, it will accept traffic from 192.168.2.0/24 on that interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 10 Nov 2003, Tom Eastep wrote:> On Mon, 10 Nov 2003, Daniel wrote: > > > Small note on the interfaces in the router example - if option routefilter is > > used you''ll end up in trouble by eliminating the 192.168.2.0/24 traffic > > correct? > > No. Since the firewall has a route to 192.168.2.0/24 via eth1, it will > accept traffic from 192.168.2.0/24 on that interface. >I''ve updated the doc to point out that even if it is possible to use the standard Shorewall configuration, it is still necessary to add a route on the firewall for 192.168.2.0/24 through the router. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net