Dear all,
In my understanding of Shorewall, I''ve tryied a setup in order to
dynamicaly allow/prohibit internet access for a subset of system located
on the LAN side. i.e:
shorewall.conf:
DYNAMIC_ZONES=Yes
zones:
test Testing Tests on going (dynamic)
users Users Users on the LAN
lan LAN Local Area Network
net Inet Internet
interfaces:
net eth0 detect
lan eth1 detect
hosts:
users eth1:10.0.1.128/25 # Embeded in LAN zone (subzone)
#test eth1 # Undef here - i.e: dynamic
#lan eth1:10.0.1.0/24 # defined implicitly
#net eth0:0.0.0.0/0 # defined implicitly
policy:
fw all REJECT info
net all DROP info
test all DROP info
users all REJECT info
lan all DROP info
all all DROP info
rules (exerp):
ACCEPT test net tcp http,rsync
ACCEPT test net icmp echo-request
ACCEPT users net tcp http,https,ftp,smtp,...
This setup seems to work. If I call ''shorewall add eth1:10.0.1.1
test'',
the system 10.0.1.1 is then allowed to ping systems on the internet.
When I delete 10.0.1.1, it can''t ping anymore.
But in the Shorewall Doc, the explanation of dynamic zone is
so close related to VPN that I wandted to be sure if such a use is
''valid'' in Shorewall term or if they are known issues about
this ?
Many thanks in advance for your hints
Kindest regards
Bertrand