[Shorewall-users] Simple question about zones (haven't found in FAQ)

Nick Mashchenko mnv at gu.net
Wed Mar 2 06:36:33 PST 2005


Hello Karsten

You wrote at 02.03.2005, 16:17:

> Please, keep this thread on the mailing list, unless you really want to
> talk to me privately.


> On Wed, 2005-03-02 at 15:40 +0200, Nick Mashchenko wrote:
>> Hello Karsten
>> 
>> You wrote at 02.03.2005, 15:21:
>> 
>> > ACCEPT  net1  fw:1.1.1.1  tcp  http
>> 
>> > This rule will ACCEPT connections from ISP1 (via zone net1) to the IP
>> > 1.1.1.1 (yes, your firewall) only.
>> 
>> > There is no need to create a zone, which basically is only one of the IP
>> > addresses of your firewall. See the Rules documentation, especially the
>> > part about DEST.
>> 
>> >   http://shorewall.net/Documentation.htm#Rules
>> 
>> >> Probably I should sorry for that post...
>> 
>> > Well, you should have sent it to the list, rather than to me
>> > personally. ;-)
>> 
>> It was a mistake... :-)
>> 
>> >> I can write this in /etc/shorewall/zones:
>> >> 
>> >> fw1  eth0  broadcast  <options>
>> >> fw2  eth1  broadcast  <options>
>> 
>> > No, you can't. This is interfaces syntax, not zones.
>> 
>> Yes, yes, in "interfaces"... Stupid miss-writing... :-)
>> And, btw, 100% bullshit (these two lines above) :-).
>> 
>> > As I mentioned above, I don't think you want zones here anyways. You
>> > want single IPs. So just qualify the proper zone with the IP. The rules
>> > will then match only for those IPs inside the zone, not all IPs of that
>> > zone. (Where "proper zone" in this case means fw, cause it *is* your
>> > firewall, no?)
>> 
>> Ok. So, zone "fw" includes all ifaces at the firewall box, right?
>> If yes, then:
>> 
>> /etc/shorewall/zones:
>> net1    net1    ISP1
>> net2    net2    ISP2
>> 
>> /etc/shorewall/interfaces:
>> fw      eth0    detect
>> fw      eth1    detect
>> 
>> /etc/shorewall/rules:
>> ACCEPT  fw:1.1.1.1      tcp     http
>> ACCEPT  fw:2.2.2.2      tcp     http
>> 
>> Right?

> No. The above isn't even correct syntax. Please, read the links I
> mentioned in my previous post *carefully*.

> * interfaces:  Do no redefine the fw zone. It already is defined by
> default. eth0 is your net1 zone anyway...

> * rules:  So what don't you like about the rule I mentioned before?

I apoligize for my dumbness... :-)
Don't even imagine whats up with my head today...
One stupid error after another... :-(

So...

zones:
net1    isp1-net        ISP1 inet
net2    isp2-net        ISP2 inet

interfaces:
net1    eth0            detect          <options>
net2    eth1            detect          <options>

rules:
ACCEPT  net1            fw:1.1.1.1      tcp     http
ACCEPT  net2            fw:3.3.3.3      tcp     http

Correct?

If yes, please explain, what is zone "fw"?
Which IP/ifaces/etc does it include?

--
MNV-UANIC/RIPE



More information about the Shorewall-users mailing list