[Shorewall-users] Policy Rules not working as expected
Thu, 25 Apr 2002 06:20:08 -0700 (PDT)
On Thu, 25 Apr 2002, Patrick Benson wrote:
> firstname.lastname@example.org wrote:
> > Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected to the
> > internet and behind eth1 are several subnets.
> I'm just a little curious. You have defined that eth0 is connected to
> the internet yet you bind your local subnets with eth0 instead of eth1
> > My hosts files looks like this:
> > #ZONE HOST(S) OPTIONS
> > dinslaken eth0:10.95.0.0/16 routestopped
> > moers eth0:10.96.0.0/16 routestopped
> > dortmund eth0:10.97.0.0/16 routestopped
> > pdv eth0:192.168.100.0/24 routestopped
> > token eth0:18.104.22.168/16 routestopped
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
> Tom's documentation usually looks like this, copied from his site:
> ZONE INTERFACE BROADCAST OPTIONS
> net eth0 detect dhcp,noping,norfc1918,blacklist
> loc eth1 detect routestopped
> > My interface file:
> > #ZONE INTERFACE BROADCAST OPTIONS
> > net eth1 detect routestopped,noping
> > - eth0 detect multi
> ..yet you have it switched the other way around. Shouldn't your net
> interface be eth0? I just mention this because you may get more problems
> later on without realizing what may be causing the errors...
Shorewall doesn't care which interface is which -- there are only two
names that Shorewall attaches any meaning to:
a) The contents of the FW variable (normally 'fw') -- that is the zone of
the firewall itself.
b) 'multi' which is the pseudo-zone that Shorewall creates to be able to
report on the 'multi2fw' chain.
The reason that my documentation and the samples use eth0 for the external
interface is because many of them are taken from my setup which is
configured that way. No other reason.
So if you want to call your internet zone 'foo' and your local zone 'bar',
go for it :-)
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com