[Shorewall-users] multiple net interfaces, aliases

Kenneth Porter shiva@well.com
30 Jan 2002 16:42:26 -0800


I'm looking for something to help me migrate a working ipchains firewall
to iptables and I just finished reading the shorewall documentation on
the web. It looks promising, but I have some questions about how my own
topology fits into the shorewall framework.

1) I have two external network interfaces to different ISP's, and use
static routing to divert some traffic to the "backup" ISP. I want the
rule sets for the two interfaces to otherwise be identical. Any special
consideration here?

2) I have one internal interface (eth0) with an alias (eth0:0). My LAN
is in the middle of a renumbering, so the gateway doubles as an internal
router between the two netblocks represented by these two interfaces.
Does shorewall understand an interface alias? Do I just treat it like a
normal interface?

3) I have a VPN box on the LAN that connects to about a dozen other
company sites, each with a different private netblock. The gateway
routes traffic between the two internal netblocks and the various WAN
netblocks by directing such traffic to the VPN box. Would I declare a
zone that includes all the WAN netblocks? (I'm thinking each netblock
needs its own zone, but it would be more convenient to declare them all
as members of one zone, as they get the same rules.)