egon phillips wrote:>
>>In the future, please direct your Shorewall
> questions to the Shorewall
>>User''s mailing list (shorewall-users@lists.sourceforge.net).
>
> I will do so.
The future is now!
>>
>>Hopefully you followed the instructions in the HOWTOs at
>>http://www.shorewall.net/shorewall_quickstart_guide.htm.
>
> Yes, the quickstart_guide, and the config files as
> well as your recipies. I''ve just gone back and read
> the faqs, and the multiple interfaces document you
> suggested.
>
> In the zones file, "net" takes on the value "ipv4", as
> per the shorewall/zones example. When, I leave "net"
> unspecified in the host file, it appears to behave as
> "all", however, I notice that some external addresses
> are mapped to loc2all, or fw2all.
99% of Shorewall users have no entries in the /etc/shorewall/hosts file
so I don''t understand what you mean by "appears to behave as
''all''".
Please elaborate.
So, I guess I''m> having trouble understanding the relationship between
> ipv4 and the shorewall/hosts.
There is none. Entries in /etc/shorewall/zones *declare* zone names and
associate them with a type of zone (net, firewall, or ipv4). THAT IS ALL
THAT THESE ENTRIES DO. The definition of the hosts included in the zone
is done in /etc/shorewall/interfaces and in /etc/shorewall/hosts. When
you associate a zone name with an interface name in
/etc/shorewall/interfaces, that means that the zone consists of all
hosts that communicate with the firewall through that device.
I''ve changed the wording in the Introduction to Shorewall
(http://www1.shorewall.net/Introduction.html) in an effort to make the
distinction between declaring zones (/etc/shorewall/zones) and defining
their contents (/etc/shorewall/interfaces and /etc/shorewall/hosts).
Hope that helps.
If, I want "net" to> refer to external addresses (not rfc1918, not
> 127.0.0.0/8 or 169.254.0.0/16) what should I assign to
> "net" in the shorewall/hosts file?
As stated at the top of the /etc/shorewall/hosts file, the *only* time
that you need to use entries in that file is when you have more than one
zone defined through a particular interface.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key