hi there, i have a question about the possibility of the following setup ... for better understanding, i''ve attached an image ... it''s not big, but i excuse me beforehand for putting that image on this list: well, there are 2 VLANs on each PC ... every VLAN should access its internal IPs (i.e. 172.16.10.2 should ping 172.16.10.3 without problems, because shorewall isn''t interacting yet) what i want to do is, to give vlan1 access to vlan2, but only! with its external IPs (i.e. 172.16.10.2 should ping 192.168.10.10, but also its own VLAN members like 192.168.10.3) so there is one trick, i had to add the routeback option on the vlan interfaces, because when i ping from 172.16.10.2 inside vlan1 to the external IP 192.168.10.3, shorewall routes me back to the same interface, which isn''t allowed by default ... so, i''ve tested this setup with shorewall and it works quite nice ... interfaces: loc eth0 detect v1234 eth0.1234 detect routeback v1235 eth0.1235 detect routeback zones: fw firewall loc ipv4 v1234 ipv4 v1235 ipv4 nat: 192.168.10.2 eth0:0 172.16.10.2 yes yes 192.168.10.3 eth0:1 172.16.10.3 yes yes 192.168.10.10 eth0:2 172.16.10.10 yes yes 192.168.10.11 eth0:3 172.16.10.11 yes yes policy: # from LAN loc v1234 ACCEPT loc v1235 ACCEPT loc $FW ACCEPT loc all REJECT # from firewall $FW v1234 REJECT $FW v1235 REJECT $FW loc REJECT $FW all REJECT # from VLANs v1234 v1235 DROP v1234 loc ACCEPT v1234 $FW DROP v1234 all DROP v1235 v1234 DROP v1235 loc ACCEPT v1235 $FW DROP v1235 all DROP now, my main problem ... probably i have to set up 10 or up to 100 VLANs ... i don''t want add them all manually to the config, especially the iptables rules will be blown up ... so there is a method to match all VLANs with one line: vlan eth0.+ detect but now the VLANs are handled as one zone(interface) ... so there is my problem ... whithout the routeback option, i can only ping the VLAN internal IPs ... i.e. from 172.16.10.2 to 172.16.10.3 or from 172.16.10.10 to 172.16.10.11, but nowhere else, because there is only one big vlan zone/interface ... so i have to put in the routeback option, which cause having access to all IPs ... the 172.16.10.2 can ping the 172.16.10.10 (in the other VLAN), but i only want to use the external IPs to get access between different VLANs is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VLANs ? thank you felix _________________________________________________________________ Windows Live Messenger: Direkter Zugriff auf Ihre E-Mails! Ohne Neuanmeldung! http://get.live.com/de-de/messenger/overview _________________________________________________________________ Neu: Mit Live Search Ihre Stadt in der Vogelperspektive! http://maps.live.de ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Felix Bolte wrote:> hi there, > > i have a question about the possibility of the following setup ... for better understanding, i''ve attached an image ... it''s not big, but i excuse me beforehand for putting that image on this list: > > > well, there are 2 VLANs on each PC ... every VLAN should access its internal IPs (i.e. 172.16.10.2 should ping 172.16.10.3 without problems, because shorewall isn''t interacting yet) > > what i want to do is, to give vlan1 access to vlan2, but only! with its external IPs (i.e. 172.16.10.2 should ping 192.168.10.10, but also its own VLAN members like 192.168.10.3) > > so there is one trick, i had to add the routeback option on the vlan interfaces, because when i ping from 172.16.10.2 inside vlan1 to the external IP 192.168.10.3, shorewall routes me back to the same interface, which isn''t allowed by default ... > > so, i''ve tested this setup with shorewall and it works quite nice ... > > > interfaces: > > loc eth0 detect > v1234 eth0.1234 detect routeback > v1235 eth0.1235 detect routeback > > zones: > > fw firewall > loc ipv4 > v1234 ipv4 > v1235 ipv4 > > nat: > > 192.168.10.2 eth0:0 172.16.10.2 yes yes > 192.168.10.3 eth0:1 172.16.10.3 yes yes > 192.168.10.10 eth0:2 172.16.10.10 yes yes > 192.168.10.11 eth0:3 172.16.10.11 yes yes > > policy: > > # from LAN > > loc v1234 ACCEPT > loc v1235 ACCEPT > loc $FW ACCEPT > loc all REJECT > > # from firewall > > $FW v1234 REJECT > $FW v1235 REJECT > $FW loc REJECT > $FW all REJECT > > # from VLANs > > v1234 v1235 DROP > v1234 loc ACCEPT > v1234 $FW DROP > v1234 all DROP > > v1235 v1234 DROP > v1235 loc ACCEPT > v1235 $FW DROP > v1235 all DROP > > > > now, my main problem ... probably i have to set up 10 or up to 100 VLANs ... i don''t want add them all manually to the config, especially the iptables rules will be blown up ... so there is a method to match all VLANs with one line: > > vlan eth0.+ detect > > but now the VLANs are handled as one zone(interface) ... so there is my problem ... > whithout the routeback option, i can only ping the VLAN internal IPs ... > i.e. from 172.16.10.2 to 172.16.10.3 or from 172.16.10.10 to172.16.10.11, but nowhere else,> because there is only one big vlan zone/interface ... so i have to putin the routeback option,> which cause having access to all IPs ... the 172.16.10.2 can ping the172.16.10.10 (in the other VLAN),> but i only want to use the external IPs to get access betweendifferent VLANs> > > is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VLHave you looked at the hosts file? Have a look at parallel zones section at: http://www.shorewall.net/Multiple_Zones.html You want to control traffic based on ip network right? Think the zone layout needs a bit of work. You could try something like in the hosts file: eth0.1234 eth0.1234:172.16.10.0/29 eth0.1235 eth0.1235:172.16.10.8/29 while changing interfaces to: - eth0.1234 172.16.10.7 - eth0.1235 172.16.10.15 Hoping that is the quick fix for you, Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Jerry Vonau wrote:> Felix Bolte wrote: >> is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VL > > > Have you looked at the hosts file? > Have a look at parallel zones section at: > http://www.shorewall.net/Multiple_Zones.html > > You want to control traffic based on ip network right? > > Think the zone layout needs a bit of work. You could try something like > in the hosts file: > > eth0.1234 eth0.1234:172.16.10.0/29 > eth0.1235 eth0.1235:172.16.10.8/29 > > while changing interfaces to: > - eth0.1234 172.16.10.7 > - eth0.1235 172.16.10.15 > > Hoping that is the quick fix for you, > > Jerry > >Boy does coffee open the eyes, the vlan defined in the hosts file would be the same a defining it in the interfaces file, so I don''t think that will help you. Don''t think you could get around having to define all the zones/interfaces for your vlans if you need to control traffic from vlan to vlan. Sorry for the misleading statement, Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Felix Bolte wrote:> > > now, my main problem ... probably i have to set up 10 or up to 100 VLANs ... i don''t want add them all manually to the config, especially the iptables rules will be blown up ... so there is a method to match all VLANs with one line: > > vlan eth0.+ detect > > but now the VLANs are handled as one zone(interface) ... so there is my problem ... whithout the routeback option, i can only ping the VLAN internal IPs ... i.e. from 172.16.10.2 to 172.16.10.3 or from 172.16.10.10 to 172.16.10.11, but nowhere else, because there is only one big vlan zone/interface ... so i have to put in the routeback option, which cause having access to all IPs ... the 172.16.10.2 can ping the 172.16.10.10 (in the other VLAN), but i only want to use the external IPs to get access between different VLANs > > > is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VLANs ?I don''t know what you are trying to accomplish with this amazing setup but, whatever it is, surely there must be a better way. Nevertheless, you should be able to do what you want by: /etc/shorewall/interfaces vlan eth0.+ ... /etc/shorewall/policy vlan vlan REJECT /etc/shorewall/rules: ACCEPT vlan vlan - - - 192.168.10.0/24 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> Felix Bolte wrote: > >> >> >> now, my main problem ... probably i have to set up 10 or up to 100 >> VLANs ... i don''t want add them all manually to the config, especially >> the iptables rules will be blown up ... so there is a method to match >> all VLANs with one line: >> >> vlan eth0.+ detect >> >> but now the VLANs are handled as one zone(interface) ... so there is >> my problem ... whithout the routeback option, i can only ping the VLAN >> internal IPs ... i.e. from 172.16.10.2 to 172.16.10.3 or from >> 172.16.10.10 to 172.16.10.11, but nowhere else, because there is only >> one big vlan zone/interface ... so i have to put in the routeback >> option, which cause having access to all IPs ... the 172.16.10.2 can >> ping the 172.16.10.10 (in the other VLAN), but i only want to use the >> external IPs to get access between different VLANs >> >> >> is there any way to set up such an environment without having 100 >> zones and interfaces if i have 100 VLANs ? > > I don''t know what you are trying to accomplish with this amazing setup > but, whatever it is, surely there must be a better way. > > Nevertheless, you should be able to do what you want by: > > /etc/shorewall/interfaces > > vlan eth0.+ ... >And you _do_ need the ''routeback'' option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
----------------------------------------> Date: Fri, 11 Apr 2008 08:53:28 -0500 > From: jvonau@shaw.ca > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] handling multiple VLANs? > > Jerry Vonau wrote: >> Felix Bolte wrote: >>> is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VL >> >> >> Have you looked at the hosts file? >> Have a look at parallel zones section at: >> http://www.shorewall.net/Multiple_Zones.html >> >> You want to control traffic based on ip network right? >> >> Think the zone layout needs a bit of work. You could try something like >> in the hosts file: >> >> eth0.1234 eth0.1234:172.16.10.0/29 >> eth0.1235 eth0.1235:172.16.10.8/29 >> >> while changing interfaces to: >> - eth0.1234 172.16.10.7 >> - eth0.1235 172.16.10.15 >> >> Hoping that is the quick fix for you, >> >> Jerry >> >> > Boy does coffee open the eyes, the vlan defined in the hosts file would > be the same a defining it in the interfaces file, so I don''t think that > will help you. Don''t think you could get around having to define all the > zones/interfaces for your vlans if you need to control traffic from vlan > to vlan. > > Sorry for the misleading statement, > > Jerryhi jerry, i''ve already written an answer to your first post ... but you were to fast ;) ... nvm yes, you are right ... it''s the same issue with the hosts configuration ... i just want to avoid touching my configuration for every new VLAN but, thank you for answering felix _________________________________________________________________ Neu: Mit Live Search Ihre Stadt in der Vogelperspektive! http://maps.live.de ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> I don't know what you are trying to accomplish with this amazing setup >> but, whatever it is, surely there must be a better way. >> >> Nevertheless, you should be able to do what you want by: >> >> /etc/shorewall/interfaces >> >> vlan eth0.+ ... >> > > And you _do_ need the 'routeback' option. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >hi, ok thank you ... pls confirm me, if i've understood it correctly with the routeback option all vlans can access each other which i will prevent in the policy-file and then i have to permit in the rules-file which subnets have access to the external IPs ... have a nice weekend felix _________________________________________________________________ Keine Mail mehr verpassen! Jetzt gibt’s Hotmail fürs Handy! http://www.gowindowslive.com/minisites/mail/mobilemail.aspx?Locale=de-de ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Felix Bolte wrote:> > ok thank you ... pls confirm me, if i''ve understood it correctly > > with the routeback option all vlans can access each other which i> will prevent in the policy-file and then i have to permit in the > rules-file which subnets have access to the external IPs ... That is basically correct. The ''routeback'' option has really nothing to do with connection permissions. It rather causes Shorewall to create infrastructure to handle the case where traffic entering an interface is sent back out of the same interface. Since this is usually a very silly thing to do, it is not the default behavior. This behavior does, however, make sense for a wild-card interface (one whose name ends in ''+''). It is policies and rules that control connection permissions. The default intra-zone policy is ACCEPT which you will override with the entry in /etc/shorewall/policy. You will then define whose vlan->vlan connections that you are willing to allow via the entry in /etc/shorewall/rules. The rule says that vlan->vlan traffic is permitted only if the original destination IP address is in the 192.168.10.0/24 network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> Felix Bolte wrote: > ... >> is there any way to set up such an environment without having 100 >> zones and interfaces if i have 100 VLANs ? > > I don''t know what you are trying to accomplish with this amazing setup > but, whatever it is, surely there must be a better way.I would add my agreement with Tom''s comment: there must be a better way to achieve what you are attempting. Why do you want to do this? Paul ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone