From: Mark v. D. <lis...@in...> - 2012-09-01 12:49:27
|
> Right -- it isn't valid. Packets routed to/from eth1.10 are NOT routed > to/from eth1. In this configuration, eth1 doesn't have an IP address > at all so Netfilter won't match any packets against eth1. Ok, makes sense. > - define one zone Z that includes all three eth.nn, > - specify REJECT for the Z->Z policy. > - Use rules to specify which traffic is allowed. So in effect, is this what you mean? -- /etc/shorewall/zones loc ipv4 http:loc ipv4 mail:loc ipv4 ftp:loc ipv4 /etc/shorewall/interfaces ... loc eth1.10 loc eth1.11 loc eth1.12 /etc/shorewall/hosts http eth1.10:0.0.0.0/0 mail eth1.11:0.0.0.0/0 ftp eth1.12:0.0.0.0/0 It seems that, in this scenario, the firewall would not care for the IPs behind a certain vlan which seems to be quite handy, for example if I add another HTTP server to vlan 10. Thank you, Mark |