[Shorewall-users] Simple question about zones (haven't found
mnv at gu.net
Wed Mar 2 06:36:33 PST 2005
You wrote at 02.03.2005, 16:17:
> Please, keep this thread on the mailing list, unless you really want to
> talk to me privately.
> On Wed, 2005-03-02 at 15:40 +0200, Nick Mashchenko wrote:
>> Hello Karsten
>> You wrote at 02.03.2005, 15:21:
>> > ACCEPT net1 fw:126.96.36.199 tcp http
>> > This rule will ACCEPT connections from ISP1 (via zone net1) to the IP
>> > 188.8.131.52 (yes, your firewall) only.
>> > There is no need to create a zone, which basically is only one of the IP
>> > addresses of your firewall. See the Rules documentation, especially the
>> > part about DEST.
>> > http://shorewall.net/Documentation.htm#Rules
>> >> Probably I should sorry for that post...
>> > Well, you should have sent it to the list, rather than to me
>> > personally. ;-)
>> It was a mistake... :-)
>> >> I can write this in /etc/shorewall/zones:
>> >> fw1 eth0 broadcast <options>
>> >> fw2 eth1 broadcast <options>
>> > No, you can't. This is interfaces syntax, not zones.
>> Yes, yes, in "interfaces"... Stupid miss-writing... :-)
>> And, btw, 100% bullshit (these two lines above) :-).
>> > As I mentioned above, I don't think you want zones here anyways. You
>> > want single IPs. So just qualify the proper zone with the IP. The rules
>> > will then match only for those IPs inside the zone, not all IPs of that
>> > zone. (Where "proper zone" in this case means fw, cause it *is* your
>> > firewall, no?)
>> Ok. So, zone "fw" includes all ifaces at the firewall box, right?
>> If yes, then:
>> net1 net1 ISP1
>> net2 net2 ISP2
>> fw eth0 detect
>> fw eth1 detect
>> ACCEPT fw:184.108.40.206 tcp http
>> ACCEPT fw:220.127.116.11 tcp http
> No. The above isn't even correct syntax. Please, read the links I
> mentioned in my previous post *carefully*.
> * interfaces: Do no redefine the fw zone. It already is defined by
> default. eth0 is your net1 zone anyway...
> * rules: So what don't you like about the rule I mentioned before?
I apoligize for my dumbness... :-)
Don't even imagine whats up with my head today...
One stupid error after another... :-(
net1 isp1-net ISP1 inet
net2 isp2-net ISP2 inet
net1 eth0 detect <options>
net2 eth1 detect <options>
ACCEPT net1 fw:18.104.22.168 tcp http
ACCEPT net2 fw:22.214.171.124 tcp http
If yes, please explain, what is zone "fw"?
Which IP/ifaces/etc does it include?
More information about the Shorewall-users