From: Holger <li...@ne...> - 2003-10-15 14:18:44
|
Hello, i'm new to shorewall, but i really like it a lot. it's quite similar to the firewall concept i did on my own. i also created zones in my own script, although not as simple to configure as shorewall. great work. what i am trying to accomplish: dsl dialup (pppoe) dsl leased line dynamic ip fixed ip range | | | transport net | shorewall router 2 --------- shorewall router 1 --- dmz | | local net(s) (3 subnets) router 2 is currently running my own setup and does all of the work involved in router2 and 1 in one configuration. because of this setup we are using source ip routing on that box to determine on which dsl line will get used for external traffic. now i want to split this one box into two boxes to get better possiblility of management and most important, to have a vpn endpoint (on router 1). im currently setting up router one and noticed some redundant rules in some chains created by shorewall (complete status attached). for example chain dmz_frwd looks like this: Chain dmz_frwd (2 references) target prot opt in out source destination dmz2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 dmz2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 dmz2loc all -- * eth3 0.0.0.0/0 10.0.0.0/24 dmz2loc all -- * eth3 0.0.0.0/0 10.0.1.0/24 dmz2loc all -- * eth3 0.0.0.0/0 192.168.3.0/24 dmz2loc all -- * eth3 0.0.0.0/0 10.0.0.0/24 dmz2loc all -- * eth3 0.0.0.0/0 10.0.1.0/24 dmz2loc all -- * eth3 0.0.0.0/0 192.168.3.0/24 ACCEPT all -- * eth0 0.0.0.0/0 217.89.141.24/29 ACCEPT all -- * eth0 0.0.0.0/0 217.5.177.76/30 as you can see, line 1,2 ; 3,6 ; 4,7 ; 5,8 are exactly the same. is this a bug or a feature ?!? it won't do any harm although these lines are not really neccesary. thanks for your help Holger Brueckner net-labs Systemhaus GmbH |