Hi,
I am looking to implement vlan tagged interfaces on a debian 7 box.
Should they be treated as regular interfaces (eg:
/etc/shorewall/interfaces zones eth1.100 ...)?
Can the maclist option in /etc/shorewall/interfaces/hosts be used on
virtual interface?: mainly vlan interface and tun interface?
I read the shorewall alias page along with the shorewall maclist/mac
verification page but I have still some doubts about whether the
maclist option can be implemented on vlan/tun interface or not?
Regarding some feedback for shorewall 4.5.22/4.5.21.2:
In /etc/shorewall/interfaces it is mentioned "BROADCAST (Optional) -
{-|detect|address[,address]...} Only available if FORMAT 1." and it
is also mentioned that format 1 is deprecated in favor of format 2.
Is there not a dichotomy between the preferred format(format 2) and
some pages/examples on the shorewall site which are still using the
deprecated format(format 1)!?
from http://www.shorewall.net/dhcp.htm :
"If you don''t know the subnet address in advance, you should
specify
"detect" for the interface''s subnet address in the
/etc/shorewall/interfaces"= format 1?
So the question would be: is there a way to have an equivalent to the
broadcast column using format 2?
matt
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
On 10/20/2013 2:41 PM, matt darfeuille wrote:> Hi, > > I am looking to implement vlan tagged interfaces on a debian 7 box. > Should they be treated as regular interfaces (eg: > /etc/shorewall/interfaces zones eth1.100 ...)?Yes.> > Can the maclist option in /etc/shorewall/interfaces/hosts be used on > virtual interface?: mainly vlan interface and tun interface?It can be used on a vlan interface, but tun interfaces are point-to-point so maclist isn''t appropriate for those.> Regarding some feedback for shorewall 4.5.22/4.5.21.2: > In /etc/shorewall/interfaces it is mentioned "BROADCAST (Optional) - > {-|detect|address[,address]...} Only available if FORMAT 1." and it > is also mentioned that format 1 is deprecated in favor of format 2. > Is there not a dichotomy between the preferred format(format 2) and > some pages/examples on the shorewall site which are still using the > deprecated format(format 1)!?Yeah, I''m sure that isn''t the only anachronism in the docs.> So the question would be: is there a way to have an equivalent to the > broadcast column using format 2?No -- the BROADCAST column contents aren''t used at all any more; that''s why format 2 was created. When I have some time, I''ll make a sweep of the docs and remove most references to BROADCAST. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
Hi tom, the vlan tagged interfaces are now up and running with the mac list option! As the maclist option does not make any sense for point-to-point connection, from the shorewall point of view is there any other mesure/option ... that I could implement to further increase my openvpn server security?(dual layer security is already set up on openvpn server)? Thank you for the provided answers/explanations!!!:) matt On 21 Oct 2013 at 7:11, Tom Eastep wrote: Date sent: Mon, 21 Oct 2013 07:11:18 -0700 From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] vlan tagged interface Send reply to: Shorewall Users <shorewall-users@lists.sourceforge.net> <mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe> <mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe>> On 10/20/2013 2:41 PM, matt darfeuille wrote: > > Hi, > > > > I am looking to implement vlan tagged interfaces on a debian 7 box. > > Should they be treated as regular interfaces (eg: > > /etc/shorewall/interfaces zones eth1.100 ...)? > > Yes. > > > > > Can the maclist option in /etc/shorewall/interfaces/hosts be used on > > virtual interface?: mainly vlan interface and tun interface? > > It can be used on a vlan interface, but tun interfaces are > point-to-point so maclist isn''t appropriate for those. > > > > Regarding some feedback for shorewall 4.5.22/4.5.21.2: > > In /etc/shorewall/interfaces it is mentioned "BROADCAST (Optional) - > > {-|detect|address[,address]...} Only available if FORMAT 1." and it > > is also mentioned that format 1 is deprecated in favor of format 2. > > Is there not a dichotomy between the preferred format(format 2) and > > some pages/examples on the shorewall site which are still using the > > deprecated format(format 1)!? > > Yeah, I''m sure that isn''t the only anachronism in the docs. > > > So the question would be: is there a way to have an equivalent to > > the broadcast column using format 2? > > No -- the BROADCAST column contents aren''t used at all any more; > that''s why format 2 was created. When I have some time, I''ll make a > sweep of the docs and remove most references to BROADCAST. > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk