Wed, 10 Apr 2002 10:05:43 -0700 (Pacific Daylight Time)
On Wed, 10 Apr 2002, Jim Hubbard wrote:
> Actually, instead of the ip's listed above I've defined them as parameters
> like this in "params"
> So my hosts file is actually:
> #ZONE HOST(S) OPTIONS
> adm eth0:$ADM_IPS routestopped
> loc eth0:$LOC_IPS routestopped
> net eth0:$NET_IPS
> I don't know why I prefer it this way, it's just less clutter I guess.
> Anyway here are zones & interfaces:
> #ZONE DISPLAY COMMENTS
> adm Admin Local Administrator
> loc Local Local Network
> net Net Internet
> #ZONE INTERFACE BROADCAST OPTIONS
> - eth0 192.168.0.255 routestopped,multi,blacklist
Since you have used "-" as the zone for eth0 in the interfaces file, you
have to define 'net' somewhere and that 'somewhere' is in the hosts file.
The documentation that you quoted about the zone contents defaulting to
all hosts interfacing through a set of interfaces doesn't apply in this
> > > While I'm at it, how can I deny rfc1918 ip's in my net zone and
> > still accept
> > > them in the others? The only thing I've come up with is to filter
> > > everything in loc by mac address too.
> > >
> > >
> > Why do you need to? Doesn't your outer firewall already filter these?
> My outer hardware firewall (Netgear RO318) cannot block certain addresses on
> the outside from getting in. A port is either open to everyone (and
> forwarded to the server) or it's closed. Curiously, I can restrict ip's on
> the inside from accessing outside services. Go figure. Filtering loc by
> mac wouldn't be a big deal for me since we only have about 8 local users. I
> was just wondering if there was a better way.
I don't see where MAC filtering will help. What threat are you trying to
protect yourself from?
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org