AW: [Shorewall-users] Compicated config?
Wed, 30 Jan 2002 11:19:11 -0000
> -----Urspr=FCngliche Nachricht-----
> Von: Tom Eastep [mailto:firstname.lastname@example.org]
> Gesendet: Montag, 28. Januar 2002 16:42
> An: Lumpp, Wolfgang; email@example.com
> Betreff: Re: [Shorewall-users] Compicated config?
> Hello Wolfgang,
> On Monday 28 January 2002 07:15 am, Lumpp, Wolfgang wrote:
> > Hello,
> > at the moment, I'm trying to set up the following config:
> > several subnets from 10.0.0.0/8 and 192.168.0.0/16 which=20
> are offices.
> > Most of them are connected through the internal interface eth0.
> > But some are connected by VPN, made by a cisco, which is=20
> also our gateway
> > to the ISP.
> > (eth1 of firewall)
> > Now I thought about of zones in the form:
> > offa officeA
> > offb officeB
> > and so on.
> > Some of these zones connected to the internal (eth0), some=20
> to the VPN
> > (eth1).
> > I want to split the zones, because I want to have the=20
> traffic from/to the
> > offices.
> > Whats the best way? I've read something about to set the=20
> interfaces to
> > multi.
> > And this could drive me into the wrong road ;-)
> > Any help is highly appreciated
> For those interfaces that are associated with multiple zones,=20
> don't specify a=20
> zone in /etc/shorewall/interfaces:
> - eth0=09
> You can then define the zones in the /etc/shorewall/hosts file:
> offa eth0:10.1.2.0/24
> offb eth0:192.168.1.0/24
thanks for your fast answer!
This part is clear and also implemented.
Now the next part ;-)
The Cisco does NAT. This means, I can't masq the !VPN subnets! over the
interface, which is connected to the cisco. Only internal subnets.
So, now whats easier?
Masq all subnets, except the VPN-subnets?
The problem is, I have incoming packets from the VPN-subnets to the fw.
These packets should go out to the internet (www or other ports).
Masq all, but VPN-subnets?
Without masq, allow internet access to dest. all, but VPN-subnets?
What will be the best (easy, fast)?