On Wed, Jan 03, 2007 at 10:13:46AM -0800, Tom Eastep wrote: > Andrew Suffield wrote: > > On Wed, Jan 03, 2007 at 03:15:20PM +0000, Simon Hobson wrote: > > > >> Can you summarise the key setup details you worked out ? > > > > Don't create more zones than you actually need. Don't put one line in > > shorewall/interfaces for each VLAN (shorewall's performance is subtly > > sensitive to what you put in the interfaces and hosts files), instead > > collect all the roughly-equivalent client networks with a wildcard > > line, and do any per-VLAN variations in shorewall/rules - which means > > your client networks need to have addresses that make this > > convinient. Use return-path filtering to ensure that client networks > > must use the correct addresses (so no assymetric routing), so you can > > rely on them for filtering purposes. > > You can use vlan interfaces for filtering, even if they aren't explicitly > mentioned in /etc/shorewall/interfaces.
Hmm, yes, that's obvious when you think about it. I can't remember why I had to do it the other way. Must be something weird about my setup. Ignore that bit. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
