Dear List, I am trying to setup shorewall on a co-located server which is part of a /24 network of which I have 5 IP addresses. Here is my setup in more detail: [root@mail root]# shorewall version 2.0.9 [root@mail root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:9f:3d:12:41 brd ff:ff:ff:ff:ff:ff inet 217.112.90.114/24 brd 217.112.90.255 scope global eth0 inet 217.112.90.115/24 brd 217.112.90.255 scope global secondary eth0:0 inet 217.112.90.116/24 brd 217.112.90.255 scope global secondary eth0:1 inet 217.112.90.117/24 brd 217.112.90.255 scope global secondary eth0:2 inet 217.112.90.118/24 brd 217.112.90.255 scope global secondary eth0:3 inet 217.112.90.119/24 brd 217.112.90.255 scope global secondary eth0:4 inet 217.112.90.120/24 brd 217.112.90.255 scope global secondary eth0:5 [root@mail root]# ip route show 217.112.90.0/24 dev eth0 proto kernel scope link src 217.112.90.114 169.254.0.0/16 dev eth0 scope link default via 217.112.90.1 dev eth0 [root@mail root]# As I only have a single "real" network interface I simply want to restrict access on a per IP basis. Firstly I''d like to know if this is possible with Shorewall? The documentation seems to indicate Shorewall is for dedicated firewalls rather than protecting a single host - is this correct? Reading the article on virtual IP''s I can see that I could set rules as follows: ACCEPT net $FW:206.124.146.178 tcp 22 Which I think is what I need. What I don''t understand is how I would setup /etc/shorewall/policy as really I only have one zone. Can anyone advise if what I need is possible and how I would setup the policy file? If it is possible, is there anything else I should take in to consideration? Thanks, Nick
Tom Eastep
2004-Oct-24 15:36 UTC
Re: Shorewall with a single interface and multiple aliases
On Sunday 24 October 2004 04:28, Nick Chettle wrote:> Reading the article on virtual IP''s I can see that I could set rules as > follows: > > ACCEPT net $FW:206.124.146.178 tcp 22That''s correct.> > Which I think is what I need. What I don''t understand is how I would > setup /etc/shorewall/policy as really I only have one zone. > > Can anyone advise if what I need is possible and how I would setup the > policy file? If it is possible, is there anything else I should take in > to consideration? >You still only have two zones -- $FW and ''net''. So you probably just want the policy file that you downloaded in from the ''standalone'' sample. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key