[Shorewall-users] Hosts

Jim Hubbard jimh@dyersinc.com
Wed, 10 Apr 2002 14:51:44 -0400


> Since you have used "-" as the zone for eth0 in the interfaces file, you
> have to define 'net' somewhere and that 'somewhere' is in the hosts file.
> The documentation that you quoted about the zone contents defaulting to
> all hosts interfacing through a set of interfaces doesn't apply in this
> case.
>

OK

>
> > While I'm at it, how can I deny rfc1918 ip's in my net zone and
> still accept
> > them in the others?  The only thing I've come up with is to filter
> > everything in loc by mac address too.
> >

> I don't see where MAC filtering will help. What threat are you trying to
> protect yourself from?
>
> -Tom

MAC filtering my loc zone wouldn't keep anyone out of say, my web server,
but it just seems like anything I can do to make sure local users really are
who they say they are would be a good idea.  It would be neat if I could
restrict my net zone in my hosts file with something like:

net		eth0:0.0.0.0/0		norfc1918

or

net		eth0:!10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16

If not, then maybe this would be something worth adding?

Sincerely,
Jim