Shorewall users - May 2007 - Multiple subnets on same interface

Hello list !

I''m having a little issue with the shorewall firewall. I want to break
a
large lan into multiple subnets and after i read the faq i understood that
shorewall only supports adding rules for aliased interfaces but not for
the whole subnet they are on.

My setup is one gateway that sits on multiple subnets but i cannot find
any means to control the traffic flowing between the separate subnets ans
internet.

Maybe someone that has this setup can guide on how to properly configure
shorewall to make it function in my setup too ?


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

The problem i''m having is that the subnets cannot communicate with one
another.
I have two subnets that must communicate with one another but i can''t
seem
to make it work !

This is the message i receive after i issue the "shorewall restart"
command >
"The routeback option may not be specified on a multi-zone interface"

here''s my configuration files:

(internet ip address hidden as 0.0.0.0)
venet0 is a virtual interface made by openvz (see www.openvz.org)

interfaces:

net     eth0            0.0.0.0
-       eth1            192.168.0.255,192.168.1.255,192.168.2.255
(optional routeback)
loc_v   venet0          192.168.100.255 routeback

zones:

fw      firewall
net     ipv4
loc     ipv4
loc_v   ipv4
wox     ipv4
prg     ipv4

policy:

fw              net             ACCEPT
loc_v           net             ACCEPT

loc             fw              ACCEPT
loc_v           fw              ACCEPT

loc             loc_v           ACCEPT
loc_v           loc             ACCEPT

fw              loc             ACCEPT
fw              loc_v           ACCEPT

wox             net             ACCEPT
wox             loc_v           ACCEPT
wox             loc             ACCEPT
wox             fw              ACCEPT

prg             loc_v           ACCEPT
prg             loc             ACCEPT
prg             net             ACCEPT
prg             fw              ACCEPT

loc             wox             ACCEPT
loc_v           wox             ACCEPT

loc             prg             ACCEPT
loc_v           prg             ACCEPT

fw              wox             ACCEPT
fw              prg             ACCEPT

net             all             REJECT
all             all             REJECT

rules:

# permitem accesul la mail
ACCEPT  loc             net             tcp     25
ACCEPT  loc             net             tcp     110
ACCEPT  loc             net             tcp     143
ACCEPT  loc:192.168.0.38 net            tcp     443
ACCEPT  loc:192.168.0.24 net            tcp     5001

i''m using the latest shorewall version 3.4

I understood that the routeback option allows aliased network interfaces
to communicate but i can''t use it on my aliases ! Why ?

Thanks in advance for your patience.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

daniel@xma.ro wrote:
> 
> I understood that the routeback option allows aliased network interfaces
> to communicate but i can''t use it on my aliases ! Why ?
We can''t possibly know from what you have shown us. Please see
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/