I''m trying to divide my local network into sections, I have defined the following "sub-subnets" : kids eth0:192.168.2.192/26 voks eth0:192.168.2.128/26 stat eth0:192.168.2.127/25 With some dhcp rules, I assign different addresses to the kidds computers, than to the other computers. What I wanted is that the kidds doesn''t have access to SSH on the firewall, only computers in the voks zone. I have tried to make the following rule : SSH/ACCEPT voks $FW But that just shuts down access to SSH on the server, the normal rule : SSH/ACCEPT loc $FW works ok, and I can connect to the firewall using ssh (but also from the kids "network" I know that it is rather easy to circumvent my lockups, but I don''t expect the kidds to know how to change the IP address of their computer yet (they are 10 and 8 years, which should give me a couple of years before they figure something out :)) Also It is just for my own "fun" and learning that I want to set it up Regards Thomas ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Thomas Mørch wrote:> I''m trying to divide my local network into sections, I have defined the > following "sub-subnets" : > kids eth0:192.168.2.192/26 <http://192.168.2.192/26> > voks eth0:192.168.2.128/26 <http://192.168.2.128/26> > stat eth0:192.168.2.127/25 <http://192.168.2.127/25> > With some dhcp rules, I assign different addresses to the kidds > computers, than to the other computers. > > What I wanted is that the kidds doesn''t have access to SSH on the > firewall, only computers in the voks zone. > > I have tried to make the following rule : > SSH/ACCEPT voks $FW > > But that just shuts down access to SSH on the server, the normal rule : > SSH/ACCEPT loc $FW > works ok, and I can connect to the firewall using ssh (but also from the > kids "network" > > I know that it is rather easy to circumvent my lockups, but I don''t > expect the kidds to know how to change the IP address of their computer > yet (they are 10 and 8 years, which should give me a couple of years > before they figure something out :)) > > Also It is just for my own "fun" and learning that I want to set it upWe can tell you nothing without seeing the output of "shorewall dump". See http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, Mar 09, 2009 at 11:15:29PM +0100, Thomas Mørch wrote:> I''m trying to divide my local network into sections, I have defined the > following "sub-subnets" : > kids eth0:192.168.2.192/26 > voks eth0:192.168.2.128/26 > stat eth0:192.168.2.127/25Have you read the shorewall-nesting(5) man page? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Thomas Mørch wrote: >> I''m trying to divide my local network into sections, I have defined the >> following "sub-subnets" : >> kids eth0:192.168.2.192/26 <http://192.168.2.192/26> >> voks eth0:192.168.2.128/26 <http://192.168.2.128/26> >> stat eth0:192.168.2.127/25 <http://192.168.2.127/25> >> With some dhcp rules, I assign different addresses to the kidds >> computers, than to the other computers. >> >> What I wanted is that the kidds doesn''t have access to SSH on the >> firewall, only computers in the voks zone. >> >> I have tried to make the following rule : >> SSH/ACCEPT voks $FW >> >> But that just shuts down access to SSH on the server, the normal rule : >> SSH/ACCEPT loc $FW >> works ok, and I can connect to the firewall using ssh (but also from the >> kids "network" >> >> I know that it is rather easy to circumvent my lockups, but I don''t >> expect the kidds to know how to change the IP address of their computer >> yet (they are 10 and 8 years, which should give me a couple of years >> before they figure something out :)) >> >> Also It is just for my own "fun" and learning that I want to set it up > > We can tell you nothing without seeing the output of "shorewall dump". > See http://www.shorewall.net/support.htm#Guidelines >Follow Roberto''s suggestion re shorewall-nesting before following mine; you might save yourself some time :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
2009/3/9 Tom Eastep <teastep@shorewall.net>> Tom Eastep wrote: > Follow Roberto''s suggestion re shorewall-nesting before following mine; > you might save yourself some time :-) > >I followed Roberto''s suggestions, and looked at the nested networks, and got it to work! (thanks guys :)) / Thomas ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com