Hi, I have several internet connections and for convenience I thought it might be useful to group them by "type". So I tried to figure out the correct way to do something like: zones: fw firewall net ipv4 loc ipv4 eth:net ipv4 wl:net ipv4 ppp:net ipv4 interfaces: eth eth0 detect optional eth eth1 detect optional wl wlan0 detect optional wl wlan1 detect optional ppp ppp0 detect optional ppp ppp1 detect optional However, I get a warning about "net" being empty and my rules aren''t behaving the way I expect (everything seems blocked... I have IMPLICIT_CONTINUE=yes) While I debug this, can I just check that the above should work as desired, ie I can set rules from loc/fw to net and those rules will implicitly apply to all the subzones eth/wl/ppp? Basically in this case I just want to use "net" as a group name for all my subzones. (The use case is that I might want to apply policies on classes of interface, eg block voip traffic over the ppp interface, but allow over the wl/eth interfaces) Thanks Ed W ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
On 12/12/11 6:56 AM, Ed W wrote:> Hi, I have several internet connections and for convenience I thought it > might be useful to group them by "type". So I tried to figure out the > correct way to do something like: > > zones: > fw firewall > net ipv4 > loc ipv4 > eth:net ipv4 > wl:net ipv4 > ppp:net ipv4 > > interfaces: > eth eth0 detect optional > eth eth1 detect optional > wl wlan0 detect optional > wl wlan1 detect optional > ppp ppp0 detect optional > ppp ppp1 detect optional > > > However, I get a warning about "net" being empty and my rules aren''t > behaving the way I expect (everything seems blocked... I have > IMPLICIT_CONTINUE=yes) > > While I debug this, can I just check that the above should work as > desired, ie I can set rules from loc/fw to net and those rules will > implicitly apply to all the subzones eth/wl/ppp? Basically in this case > I just want to use "net" as a group name for all my subzones. > > (The use case is that I might want to apply policies on classes of > interface, eg block voip traffic over the ppp interface, but allow over > the wl/eth interfaces)You must define the net zone as: net + - That must be the last line in the interfaces file. And you need the current version of Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
On 12/12/2011 15:26, Tom Eastep wrote:> On 12/12/11 6:56 AM, Ed W wrote: >> Hi, I have several internet connections and for convenience I thought it >> might be useful to group them by "type". So I tried to figure out the >> correct way to do something like: >> >> zones: >> fw firewall >> net ipv4 >> loc ipv4 >> eth:net ipv4 >> wl:net ipv4 >> ppp:net ipv4 >> >> interfaces: >> eth eth0 detect optional >> eth eth1 detect optional >> wl wlan0 detect optional >> wl wlan1 detect optional >> ppp ppp0 detect optional >> ppp ppp1 detect optional >> >> >> However, I get a warning about "net" being empty and my rules aren''t >> behaving the way I expect (everything seems blocked... I have >> IMPLICIT_CONTINUE=yes) >> >> While I debug this, can I just check that the above should work as >> desired, ie I can set rules from loc/fw to net and those rules will >> implicitly apply to all the subzones eth/wl/ppp? Basically in this case >> I just want to use "net" as a group name for all my subzones. >> >> (The use case is that I might want to apply policies on classes of >> interface, eg block voip traffic over the ppp interface, but allow over >> the wl/eth interfaces) > You must define the net zone as: > > net + - > > That must be the last line in the interfaces file. And you need the > current version of Shorewall. > > -TomAha! Cool. Does this last line change if my interfaces actually reads: eth eth0 detect optional eth eth1 detect optional wl wlan0 detect optional wl wlan1 detect optional ppp ppp0 detect optional ppp ppp1 detect optional # dmz eth3 detect optional loc br0 detect routeback,bridge,tcpflags,nosmurfs ie what if there are additional interfaces which aren''t part of net zone? Actually, I think you might be confirming that for nested zones *by interface*, then each line in the interfaces file needs to be duplicated, once for the child and once for the parent? (And possibly order is important, child first?) Am I trying to do something sensible? Perhaps there are other ways to dice this? Thanks Ed W ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure