[Shorewall-users] Simple question about zones (haven't found in FAQ)

Karsten Bräckelmann k.braeckelmann at davision.com
Wed Mar 2 06:17:11 PST 2005


Please, keep this thread on the mailing list, unless you really want to
talk to me privately.


On Wed, 2005-03-02 at 15:40 +0200, Nick Mashchenko wrote:
> Hello Karsten
> 
> You wrote at 02.03.2005, 15:21:
> 
> > ACCEPT  net1  fw:1.1.1.1  tcp  http
> 
> > This rule will ACCEPT connections from ISP1 (via zone net1) to the IP
> > 1.1.1.1 (yes, your firewall) only.
> 
> > There is no need to create a zone, which basically is only one of the IP
> > addresses of your firewall. See the Rules documentation, especially the
> > part about DEST.
> 
> >   http://shorewall.net/Documentation.htm#Rules
> 
> >> Probably I should sorry for that post...
> 
> > Well, you should have sent it to the list, rather than to me
> > personally. ;-)
> 
> It was a mistake... :-)
> 
> >> I can write this in /etc/shorewall/zones:
> >> 
> >> fw1  eth0  broadcast  <options>
> >> fw2  eth1  broadcast  <options>
> 
> > No, you can't. This is interfaces syntax, not zones.
> 
> Yes, yes, in "interfaces"... Stupid miss-writing... :-)
> And, btw, 100% bullshit (these two lines above) :-).
> 
> > As I mentioned above, I don't think you want zones here anyways. You
> > want single IPs. So just qualify the proper zone with the IP. The rules
> > will then match only for those IPs inside the zone, not all IPs of that
> > zone. (Where "proper zone" in this case means fw, cause it *is* your
> > firewall, no?)
> 
> Ok. So, zone "fw" includes all ifaces at the firewall box, right?
> If yes, then:
> 
> /etc/shorewall/zones:
> net1    net1    ISP1
> net2    net2    ISP2
> 
> /etc/shorewall/interfaces:
> fw      eth0    detect
> fw      eth1    detect
> 
> /etc/shorewall/rules:
> ACCEPT  fw:1.1.1.1      tcp     http
> ACCEPT  fw:2.2.2.2      tcp     http
> 
> Right?

No. The above isn't even correct syntax. Please, read the links I
mentioned in my previous post *carefully*.

* interfaces:  Do no redefine the fw zone. It already is defined by
default. eth0 is your net1 zone anyway...

* rules:  So what don't you like about the rule I mentioned before?


Gotto run, back later...

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20050302/72aa75a2/attachment-0001.bin


More information about the Shorewall-users mailing list