[Shorewall-users] Policy Rules not working as expected

Tom Eastep teastep@shorewall.net
Thu, 25 Apr 2002 06:20:08 -0700 (PDT)


On Thu, 25 Apr 2002, Patrick Benson wrote:

> nowak@ebi-service.de wrote:
> > 
> > Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected to the
> > internet and behind eth1 are several subnets.
> 
> Hello,
> 
> I'm just a little curious. You have defined that eth0 is connected to
> the internet yet you bind your local subnets with eth0 instead of eth1
> below:
>  
> > My hosts files looks like this:
> > 
> > #ZONE           HOST(S)         OPTIONS
> > dinslaken       eth0:10.95.0.0/16       routestopped
> > moers           eth0:10.96.0.0/16       routestopped
> > dortmund        eth0:10.97.0.0/16       routestopped
> > pdv             eth0:192.168.100.0/24   routestopped
> > token           eth0:149.202.30.0/16    routestopped
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
> 
> Tom's documentation usually looks like this, copied from his site:
> 
> ZONE  INTERFACE  BROADCAST  OPTIONS
> net    eth0      detect     dhcp,noping,norfc1918,blacklist
> loc    eth1      detect     routestopped
>  
> > My interface file:
> > 
> > #ZONE    INTERFACE      BROADCAST       OPTIONS
> > net             eth1    detect          routestopped,noping
> > -       eth0    detect          multi
> 
> ..yet you have it switched the other way around. Shouldn't your net
> interface be eth0? I just mention this because you may get more problems
> later on without realizing what may be causing the errors...
>

Shorewall doesn't care which interface is which -- there are only two 
names that Shorewall attaches any meaning to:

a) The contents of the FW variable (normally 'fw') -- that is the zone of 
the firewall itself.
b) 'multi' which is the pseudo-zone that Shorewall creates to be able to 
report on the 'multi2fw' chain. 

The reason that my documentation and the samples use eth0 for the external 
interface is because many of them are taken from my setup which is 
configured that way. No other reason.

So if you want to call your internet zone 'foo' and your local zone 'bar', 
go for it :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net