[Shorewall-users] multiple net interfaces, aliases

Tom Eastep teastep@shorewall.net
Wed, 30 Jan 2002 16:53:24 -0800


On Wednesday 30 January 2002 04:42 pm, Kenneth Porter wrote:
> I'm looking for something to help me migrate a working ipchains firewal=
> to iptables and I just finished reading the shorewall documentation on
> the web. It looks promising, but I have some questions about how my own
> topology fits into the shorewall framework.
> 1) I have two external network interfaces to different ISP's, and use
> static routing to divert some traffic to the "backup" ISP. I want the
> rule sets for the two interfaces to otherwise be identical. Any special
> consideration here?

Just don't express your rules in terms of the external interface.

> 2) I have one internal interface (eth0) with an alias (eth0:0). My LAN
> is in the middle of a renumbering, so the gateway doubles as an interna=
> router between the two netblocks represented by these two interfaces.
> Does shorewall understand an interface alias?

No, and neither does iptables.

> Do I just treat it like a normal interface?

I would specify "mutli" on eth0 and have an ACCEPT policy for loc->loc.

> 3) I have a VPN box on the LAN that connects to about a dozen other
> company sites, each with a different private netblock. The gateway
> routes traffic between the two internal netblocks and the various WAN
> netblocks by directing such traffic to the VPN box. Would I declare a
> zone that includes all the WAN netblocks? (I'm thinking each netblock
> needs its own zone, but it would be more convenient to declare them all
> as members of one zone, as they get the same rules.)

If you follow my recommendation in 2), you don't have to do anything else=

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net