[Shorewall-newbies] Sub-Interface's

Tom Eastep teastep at shorewall.net
Sun Mar 14 09:27:40 PST 2004



sysop wrote:

>>From what I have read Shorewall does not recognize vitual interfaces.

iptables doesn't recognize "virtual interfaces" so neither does Shorewall.

Is my only option to include ip specific rules.

Yes.

The one thing that attracted me to Shorwall was the fact that I can group my
interfaces and apply rules.  If there is something I'm missing, please 
let me know.

The treatment of virtual interfaces and Shorewall is covered in 
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html.

Also,  I installed 2.0 for the first timethe other day.  I added some 
rules for one
of my interfaces by ip address.  I started Shorewall and completely 
locked myself
out of the server.  Unfortuantely, I had to get someone to reboot the 
server and
interrupt the boot to prevent Shorewall from starting.
I need a explicit allow line to allow me to connect in the event my acl 
is screwed.
I will figure it out while I begin developing my ruleset but would like 
to make
certain that I can connect back.

To try new rules remotely, you should place the updated files in a 
separate directory and use the 'try' command with a timeout. That way, 
your old rules will be reinstalled after the timeout expires. If the new 
rules lock you out, it will only be temporary.

Before you try to administer a Shorewall firewall remotely, you should 
of course be sure that your remote IP address is listed in 
/etc/shorewall/routestopped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list