[Shorewall-newbies] Trying to get shorewall to work inbound.
Perhaps arp/routing issues.
zot at zotconsulting.com
Fri Feb 13 16:14:16 PST 2004
On Wed, 2004-02-11 at 18:10, Zot O'Connor wrote:
> On Wed, 2004-02-11 at 17:21, Tom Eastep wrote:
> > On Wed, 11 Feb 2004, Zot O'Connor wrote:
> > > On Wed, 2004-02-11 at 16:55, Tom Eastep wrote:
> > >
> > WHY?????
> > Once the addresses and the routes are there, all that's left is the rules
> > and policies!!!!
> Well it seem like a good idea at the time.
Actually it turns out I need this, partially.
In my diagram of my original note I had
So the current router looks like this:
REAL_OUT_IP MASQ/NAT to REAL_OUT_IP
LAN Machines (REAL_IPs) LAN Machines (FAKE_IP)
In order for FAKE_IP machines to go to REAL_IP machines they bounce off
the router (FAKE_INSIDE_IP is the FAKE_IP Gateway). So I had to be able
to define the loc as the hardcoded real_IPs, and the natted subnet
So now my files look like:
net eth0 REAL_IP_BASE.255 routefilter
- eth1 REAL_IP_BASE.255,FAKE_IP_BASE.255
I have in policy
loc loc ACCEPT
But isn't loc to loc the default now? I do not remember if worked
without it in place.
If there is a simpler way of doing this please let me know! This way is
not too "unsimple" for me.
I guess I would also rather a syntax like
loc eth1:192.168.0.1, 192.168.0.2, 192.168.0.3
to make life a little easier.
In general would real prefer a loc that is all the REAL_IPs and a fake
that is just the fake ones.
Can I do that by changing the last "loc" to "fake" and adding it to
Then I would have
loc fake ACCEPT
fake loc ACCEPT
or not as needed.
Since fake and loc are on the same physical LAN, firewalling on the
router is silly, but I like to use it to test things from time to time.
Zot O'Connor <zot at zotconsulting.com>
White Knight Hackers, Inc.
More information about the Shorewall-newbies