[Shorewall-users] Two Newbie Questions. One About Virtual Addresses And The Other About IP-Chains
Sat, 19 Jan 2002 18:06:01 -0800
On Saturday 19 January 2002 05:07 pm, Francesca C Smith wrote:
> I am new to using Shorewall and well am impressed. Ok here are the
> questions. I run a hosting server running Red-Hat 7.2 with all latest
> patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I start up
> shorewall with the following configuration params file configuration.
I don't see an attachment -- You mention later though that you are workin=
off of the one-interface sample.
> I run
> one virtual host on this machine to serve up name based Apache Web Site=
> The address's are 184.108.40.206 for eth0 and 220.127.116.11 for eth0:0=
While it wasn't previously stated, the samples all assume a single intern=
IP address. I've updated the web site to make that assumption explicit.
> require all the following ports to be accessible on eth0 from outside. =
> only need 80,443 and 3306 for eth0:0 accessible from outside. From insi=
> only 20,21,22,53,123 need to access the local subnet 216.25.199/24.
You refer to "outside" and "inside" -- what exactly do these terms mean t=
> hosts on sub-net 216.25.199/24 only require 20,21,22 access to this hos=
So does the firewall have more that one interface?
> Im thinking I need local zones for the internal sub-net with 216.25.199=
> being excepted.
This is beginning to sound like my setup -- have you looked at=20
> Im thinking I need a dmz zone for 18.104.22.168. And all
> eth0 needs is a better thought out port access config than the simple o=
> below. (Ftp Less UDP access Etc Etc). All I am asking is am I thinking =
> the right direction here.?? I can toy with and learn the best config ju=
> need a starting point. I have looked all over the archives and really d=
> see much on iptables and virtual hosts. I am working off the sample one
> interface templates provided at the shorewall web site.
I think you need to abandon use of the sample configs -- I would also lik=
know how many interfaces you have (or are thinking of having) on your=20
firewall. If you are doing this with only one interface, then you are=20
restricted to two zones: net (or whatever you choose to call the internet=
and fw. You can still differentiate between your external IP addresses bu=
you must do so entirely inside the rules file.=20
Tom Eastep \ A Firewall for Linux 2.4.*
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org