Andrew Suffield wrote: > On Wed, Jan 03, 2007 at 03:15:20PM +0000, Simon Hobson wrote: > >> Can you summarise the key setup details you worked out ? > > Don't create more zones than you actually need. Don't put one line in > shorewall/interfaces for each VLAN (shorewall's performance is subtly > sensitive to what you put in the interfaces and hosts files), instead > collect all the roughly-equivalent client networks with a wildcard > line, and do any per-VLAN variations in shorewall/rules - which means > your client networks need to have addresses that make this > convinient. Use return-path filtering to ensure that client networks > must use the correct addresses (so no assymetric routing), so you can > rely on them for filtering purposes.
You can use vlan interfaces for filtering, even if they aren't explicitly
mentioned in /etc/shorewall/interfaces.
Example:
/etc/shorewall/interfaces:
foo eth1.1* ...
/etc/shorewall/rules:
ACCEPT foo:eth1.12 ...
If you find that feature is broken with vlans, let me know as it should work.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
