[Shorewall-newbies] Sub-Interface's

Tom Eastep teastep at shorewall.net
Sun Mar 14 18:48:50 PST 2004

Tom Eastep wrote:

>> My environment
>> is a single server with 8 virtual addresses.  Here is basically what I 
>> have.
>> eth0      dns
>> eth0:0   dns
>> eth0:1    ftp/http/https
>> eth0:2    ftp/http/https
>> eth0:3    gameserver
>> eth0:4    game server
>> eth0:5    game server
>> eth0:6    admin tools (ssh, webmin, plesk, etc)
>> To setup my rules am I only concerned with ip addresses so in the example
>> above for my eth0 and eth0:0 would look like this for DNS.
>> ACCEPT tcp        53
>> ACCEPT udp       53
>> ACCEPT tcp        53
>> ACCEPT udp       53
> Then don't use Shorewall.

My point is that I didn't design Shorewall just for the degerate case of 
a single server with a single interface. I designed it to use the same 
paradigm regardless of how many interfaces were involved. If you find it 
too onerous to follow that paradigm in your case then no one is holding 
a gun to your head.

That having been said, if you are using a version of Shorewall >= 1.4.10 
  then you can create an action and put your abbreviated rules in the 




	ACCEPT tcp        53
	ACCEPT udp       53
	ACCEPT tcp        53
	ACCEPT udp       53


	MyDNS	net	$FW

That way you only have to strain yourself by typing 'net' and '$FW' once 
for each of your actions.

There are other possibilities. You could place all of the rules 
corresponding to each ip address in an action and then in the rules 
file, direct all traffic from net to that IP address through the 
corresonding action.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list