[Shorewall-users] Simple question about zones (haven't found in FAQ)

Tom Eastep teastep at shorewall.net
Wed Mar 2 07:39:07 PST 2005

Nick Mashchenko wrote:

> I can write this in /etc/shorewall/zones:
> fw1  eth0  broadcast  <options>
> fw2  eth1  broadcast  <options>

Surely not in /etc/shorewall/zones -- that looks like an entry in
/etc/shorewall/interfaces but in that case:

fw1 = all hosts whose traffic enters your firewall through eth0.
fw2 = all hosts whose traffic enters your firewall through eth0.

This would be the way in which you would define your 'net1' and 'net2'

> Then I'll get what I want: two zones assigned to appropriate ifaces.
> However, in this case, what does mean "fw"?
> Which iface "belongs" to this zone?

$FW IS NOT ASSOCIATED WITH AN INTERFACE!!!! It stands for "All programs
(including the operating system) running in the Firewall system".

When you define loc->fw rules, you don't have this confusion do you?
Then why do you have it when you are dealing with your two ISP zones? To
Shorewall, there is no difference at all between zones EXCEPT FOR $FW (fw).

Tom Eastep    \ Off-list replies are cheerfully ignored
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

More information about the Shorewall-users mailing list