Hi, I''m in a process of setting up a firewall system, which is going to be also an ipsec/l2tp and pptp vpn server for some mobile clients. The problem is, that the system has two ISPs a cable one (no problems here) and a DSL provider. Because of the DSL provider the system is going to have one pppN interface for DSL (net zone) and many pppX interfaces for l2tp/pptp (loc zone) I''ve already configured the dsl provider to give ppp interface numbers over 1000 (unit 1000 in /etc/ppp/peers/provider-name). My question is how to define the shorewall zones to have ppp1000, ppp1001, etc in the net zone and ppp0, ppp1, ..., ppp999 in the loc zone (without enumerating them all). Unfortunately the nesting solution I''ve found in the docs doesn''t suit this setup. Compiler: shorewall-perl-4.1.0 Thanks in advance Geza ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Geza Gemes wrote:> I''ve already configured the dsl provider to give ppp > interface numbers over 1000 (unit 1000 in /etc/ppp/peers/provider-name). > My question is how to define the shorewall zones to have ppp1000, ppp1001, > etc in the net zone and ppp0, ppp1, ..., ppp999 in the loc zone (without > enumerating them all). > Unfortunately the nesting solution I''ve found in the docs doesn''t suit > this setup.Can''t you use the pppd ''ifname'' directive to give the DSL interface a unique name? (sorry -- can''t test this as I don''t have access to a PPPoE uplink).> Compiler: shorewall-perl-4.1.0If you are really using 4.1.0, I suggest that you move to a supported version. 4.1.0 was the first 4.1 alpha release and has many known bugs (releases whose minor release number is odd are development releases). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi 2008/5/13 Geza Gemes <geza@kzsdabas.sulinet.hu>:> The problem is, that the system has two ISPs a cable one (no problems > here) and a DSL provider. Because of the DSL provider the system is going > to have one pppN interface for DSL (net zone) and many pppX interfaces for > l2tp/pptp (loc zone) I''ve already configured the dsl provider to give ppp > interface numbers over 1000 (unit 1000 in /etc/ppp/peers/provider-name). > My question is how to define the shorewall zones to have ppp1000, ppp1001, > etc in the net zone and ppp0, ppp1, ..., ppp999 in the loc zone (without > enumerating them all). >1. /etc/shorewall/shorewall.conf: DYNAMIC_ZONES=Yes 2. /etc/shorewall/interfaces: - ppp+ 3. /etc/ppp/peers/provider-name: ipparam (loc|net) - pass zone name to ip-(up|down) scripts via PPP_IPPARAM envvar 4. /etc/ppp/ip-up.d/shorewall: something like ''shorewall add ppp+:$PPP_REMOTE $PPP_IPPARAM'' 5. /etc/ppp/ip-down.d/shorewall: something like ''shorewall delete ppp+:$PPP_REMOTE $PPP_IPPARAM'' There is no clear meaning for ''ipparam'' option; use with care, don''t cross with other ip-(up|down) scripts. Dmitry. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/