I have a zone on the firewall called "loc" and its interface is eth1:192.168.23.1. An OpenVPN server is in this zone and it has a virtual subnet of 192.168.222.0. The real interface on this vpn machine is eth0:192.168.23.50 and it forwards 192.168.222.0 traffic to its gateway (192.168.23.1). How do I tell shorewall that "loc" zone that rules can also apply to 192.168.222.0. I think I want something like this but it doesn''t work. /etc/shorewall/rules loc:192.168.222.0 dmz:192.168.38.10 icmp 8 (I''ve manually added "route add -net 192.168.222.0 netmask 255.255.255.0 gw 192.168.23.50" to firewall - is there way to tell shorewall add this automatically?)
Matt Burleigh wrote:> I have a zone on the firewall called "loc" and its interface is > eth1:192.168.23.1. An OpenVPN server is in this zone and it has a > virtual subnet of 192.168.222.0. The real interface on this vpn > machine is eth0:192.168.23.50 and it forwards 192.168.222.0 traffic to > its gateway (192.168.23.1). How do I tell shorewall that "loc" zone > that rules can also apply to 192.168.222.0. > I think I want something like this but it doesn''t work. > /etc/shorewall/rules > > loc:192.168.222.0 dmz:192.168.38.10 icmp 8Now this works but I don''t want to specify every host for every rule. loc:192.168.222.20 dmz:192.168.38.10 icmp 8
Matt Burleigh wrote:> Matt Burleigh wrote: > >> I have a zone on the firewall called "loc" and its interface is >> eth1:192.168.23.1. An OpenVPN server is in this zone and it has a >> virtual subnet of 192.168.222.0. The real interface on this vpn >> machine is eth0:192.168.23.50 and it forwards 192.168.222.0 traffic to >> its gateway (192.168.23.1). How do I tell shorewall that "loc" zone >> that rules can also apply to 192.168.222.0. >> I think I want something like this but it doesn''t work. >> /etc/shorewall/rules >> >> loc:192.168.222.0 dmz:192.168.38.10 icmp 8 > > > Now this works but I don''t want to specify every host for every rule. > > loc:192.168.222.20 dmz:192.168.38.10 icmp 8I''m having a hard time trying to understand what problem you''re having but I think that http://shorewall.net/Multiple_Zones.html is relevant. That article talks about routers and VPN servers in the local zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> I''m having a hard time trying to understand what problem you''re havingI think he wants to have two networks behind the same interface? On Friday 09 July 2004 22:59, Matt Burleigh wrote:> How do I tell shorewall that "loc" zone that rules can also apply to > 192.168.222.0.This is where I guessed that from. Maybe he should just have a /16 netmask :) Or use the hosts file. From /etc/shorewall/hosts # THERE ARE TWO CASES WHERE YOU NEED THIS FILE: # .... # 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE # INTERFACE. Add all the networks that are in the loc zone here instead of using the /etc/shorewall/interfaces file.> Now this works but I don''t want to specify every host for every rule. > > loc:192.168.222.20 dmz:192.168.38.10 icmp 8Netmasks :) loc:192.168.222.0/24 Alex
Alexander Gretencord wrote:>>Now this works but I don''t want to specify every host for every rule. >> >>loc:192.168.222.20 dmz:192.168.38.10 icmp 8 >> >> > >Netmasks :) > >loc:192.168.222.0/24 > > >This is what I needed. I figured it out by, RTFM, actually looking at the examples in the interfaces file. Sorry, dumb question.