From: Paul G. <pg...@re...> - 2006-02-02 05:42:16
|
Jan Mulders wrote: > ... > I guess this means I don't have to angst about shorewall interfering during > restarts any more :-) > > Dynamic zones is adding/removing a physical or virtual interface to a zone > dynamically, correct? Can I do this for -subsets- of interfaces (ie, a > single IP address on my local network), as hinted at by the manpage? You can add anything that you can normally put in a zone. Interfaces, subnets, or individual hosts. > Would the gurus here consider that a better solution than commenting out > ACCEPT rules for hosts, or is it simply a case of convenience? Absolutely. Although Tom has been trying to drop dynamic zones for a long time now, they are unlikely to go away until ipsets has stabilised in kernel.org distributions, and then there will be a direct replacement for them any way. > In terms of expanding on my configuration, do you know if it's possible to > rate-limit a user (down to, say, 5k/sec) from a perl script using Shorewall > as the medium? Which would suit me better under this condition - editing > 'rules' or dynamic zones? If your users have fixed addresses, then i expect switching them from the "full access" zone to the "cut-down" zone would mean you were able to rate-limit them effectively. Paul |