sysop at gamebottle.com
Sun Mar 14 19:14:06 PST 2004
Nevermind. My question was specific to the point of the zone in my
environment as shown in the example. It was technical question not an
attack on your product. Because of the tone I am hearing i won't bother
anymore with your product. Thank you.
----- Original Message -----
From: "Tom Eastep" <teastep at shorewall.net>
To: "List for New Shorewall Users" <shorewall-newbies at lists.shorewall.net>
Sent: Sunday, March 14, 2004 9:48 PM
Subject: Re: [Shorewall-newbies] Sub-Interface's
> Tom Eastep wrote:
> >> My environment
> >> is a single server with 8 virtual addresses. Here is basically what I
> >> have.
> >> eth0 dns
> >> eth0:0 dns
> >> eth0:1 ftp/http/https
> >> eth0:2 ftp/http/https
> >> eth0:3 gameserver
> >> eth0:4 game server
> >> eth0:5 game server
> >> eth0:6 admin tools (ssh, webmin, plesk, etc)
> >> To setup my rules am I only concerned with ip addresses so in the
> >> above for my eth0 and eth0:0 would look like this for DNS.
> >> ACCEPT 0.0.0.0 10.10.10.10 tcp 53
> >> ACCEPT 0.0.0.0 10.10.10.10 udp 53
> >> ACCEPT 0.0.0.0 10.10.10.11 tcp 53
> >> ACCEPT 0.0.0.0 10.10.10.11 udp 53
> > Then don't use Shorewall.
> My point is that I didn't design Shorewall just for the degerate case of
> a single server with a single interface. I designed it to use the same
> paradigm regardless of how many interfaces were involved. If you find it
> too onerous to follow that paradigm in your case then no one is holding
> a gun to your head.
> That having been said, if you are using a version of Shorewall >= 1.4.10
> then you can create an action and put your abbreviated rules in the
> ACCEPT 0.0.0.0 10.10.10.10 tcp 53
> ACCEPT 0.0.0.0 10.10.10.10 udp 53
> ACCEPT 0.0.0.0 10.10.10.11 tcp 53
> ACCEPT 0.0.0.0 10.10.10.11 udp 53
> MyDNS net $FW
> That way you only have to strain yourself by typing 'net' and '$FW' once
> for each of your actions.
> There are other possibilities. You could place all of the rules
> corresponding to each ip address in an action and then in the rules
> file, direct all traffic from net to that IP address through the
> corresonding action.
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep at shorewall.net
> Shorewall-newbies mailing list
> Post: Shorewall-newbies at lists.shorewall.net
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
More information about the Shorewall-newbies