[Shorewall-users] Hosts

Tom Eastep teastep@shorewall.net
Wed, 10 Apr 2002 10:05:43 -0700 (Pacific Daylight Time)


On Wed, 10 Apr 2002, Jim Hubbard wrote:

>
> Actually, instead of the ip's listed above I've defined them as parameters
> like this in "params"
> ADM_IPS=192.168.0.10
> LOC_IPS=192.168.0.0/24
> NET_IPS=0.0.0.0/0
>
> So my hosts file is actually:
> #ZONE		HOST(S)		OPTIONS
> adm		eth0:$ADM_IPS	routestopped
> loc		eth0:$LOC_IPS	routestopped
> net		eth0:$NET_IPS
>
> I don't know why I prefer it this way, it's just less clutter I guess.
> Anyway here are zones & interfaces:
>
> "zones"
> #ZONE	DISPLAY		COMMENTS
> adm	Admin		Local Administrator
> loc	Local		Local Network
> net	Net		Internet
>
> "interfaces"
> #ZONE	 INTERFACE	BROADCAST	OPTIONS
> -	eth0		192.168.0.255	routestopped,multi,blacklist
>

Since you have used "-" as the zone for eth0 in the interfaces file, you
have to define 'net' somewhere and that 'somewhere' is in the hosts file.
The documentation that you quoted about the zone contents defaulting to
all hosts interfacing through a set of interfaces doesn't apply in this
case.

>
> > > While I'm at it, how can I deny rfc1918 ip's in my net zone and
> > still accept
> > > them in the others?  The only thing I've come up with is to filter
> > > everything in loc by mac address too.
> > >
> > >
> >
> > Why do you need to? Doesn't your outer firewall already filter these?
>
> My outer hardware firewall (Netgear RO318) cannot block certain addresses on
> the outside from getting in.  A port is either open to everyone (and
> forwarded to the server) or it's closed.  Curiously, I can restrict ip's on
> the inside from accessing outside services.  Go figure.  Filtering loc by
> mac wouldn't be a big deal for me since we only have about 8 local users.  I
> was just wondering if there was a better way.
>

I don't see where MAC filtering will help. What threat are you trying to
protect yourself from?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net