[Shorewall-users] Hosts

Jim Hubbard jimh@dyersinc.com
Wed, 10 Apr 2002 12:05:38 -0400


I have a server behind a seperate hardware firewall.  The server handles
some requests from the local network (smb, web, and mail) and from the
internet (web & mail).  I have three zones defined for the server's single
interface; adm, loc, and net.  In the hosts file, I defined the first 2 like
this:

adm		eth0:192.168.0.10		routestopped
loc		eth0:192.168.0.0/24	routestopped

The adm zone is also filtered by mac in the rules since it gets access to
management tools (swat & webmin).  But incoming requests from my net zone,
which since undefined should default to (0.0.0.0/0) got dropped by my
all2all policy until I specified it in the hosts file like this:

net		eth0:0.0.0.0/0

Yes, I know my config is somewhat less than ideal, but I've got to make do
with the hardware I have for now.  My point is that the zone defaults
mentioned in the docs DO need to be specified in the hosts file (at least in
this case).

>From the docs:
"If you don't define any hosts for a zone, the hosts in the zone default to
i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the
zone.

Note 1: You probably DON'T want to specify any hosts for your internet zone
since the hosts that you specify will be the only ones that you will be able
to access without adding additional rules."

Or have I overlooked something?

While I'm at it, how can I deny rfc1918 ip's in my net zone and still accept
them in the others?  The only thing I've come up with is to filter
everything in loc by mac address too.


Sincerely,
Jim Hubbard