Wed, 10 Apr 2002 09:14:44 -0700 (Pacific Daylight Time)
On Wed, 10 Apr 2002, Jim Hubbard wrote:
> I have a server behind a seperate hardware firewall. The server handles
> some requests from the local network (smb, web, and mail) and from the
> internet (web & mail). I have three zones defined for the server's single
> interface; adm, loc, and net. In the hosts file, I defined the first 2 like
> adm eth0:192.168.0.10 routestopped
> loc eth0:192.168.0.0/24 routestopped
> The adm zone is also filtered by mac in the rules since it gets access to
> management tools (swat & webmin). But incoming requests from my net zone,
> which since undefined should default to (0.0.0.0/0) got dropped by my
> all2all policy until I specified it in the hosts file like this:
> net eth0:0.0.0.0/0
> Yes, I know my config is somewhat less than ideal, but I've got to make do
> with the hardware I have for now. My point is that the zone defaults
> mentioned in the docs DO need to be specified in the hosts file (at least in
> this case).
> From the docs:
> "If you don't define any hosts for a zone, the hosts in the zone default to
> i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the
> Note 1: You probably DON'T want to specify any hosts for your internet zone
> since the hosts that you specify will be the only ones that you will be able
> to access without adding additional rules."
> Or have I overlooked something?
What do your 'zones' and 'interfaces' files look like?
> While I'm at it, how can I deny rfc1918 ip's in my net zone and still accept
> them in the others? The only thing I've come up with is to filter
> everything in loc by mac address too.
Why do you need to? Doesn't your outer firewall already filter these?
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com