Re: [Shorewall-users] Multiple independent private networks ?

Mon, 26 Feb 2007 09:27:38 -0800 

On 3/1/07, Andrew Suffield wrote:

>  > Do you have recommendations for ethernet cards that work well with
>>  VLAN trunks ?
>
>We mostly use Intel e1000-based cards because they're usually
>dependable for any purpose - they weren't chosen specifically for VLAN
>support. Any non-broken card should work with Linux's software
>implementation of 802.1q.

The box I'm currently testing on has an e100 card in it, so works fine.


>  > Can you summarise the key setup details you worked out ?
>
>Don't create more zones than you actually need. Don't put one line in
>shorewall/interfaces for each VLAN (shorewall's performance is subtly
>sensitive to what you put in the interfaces and hosts files), instead
>collect all the roughly-equivalent client networks with a wildcard
>line, and do any per-VLAN variations in shorewall/rules - which means
>your client networks need to have addresses that make this
>convinient. Use return-path filtering to ensure that client networks
>must use the correct addresses (so no assymetric routing), so you can
>rely on them for filtering purposes.

I've got stuff almost sorted now, but obviously vlan-vlan security is 
important - will be different tenants. It appears that I can't 
combine wildcards with route filtering and arp filtering, so if I put 
:

cust  vlan+  detect 
tcpflags,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2

in my interfaces file, I get :
    WARNING: Cannot set ARP filtering on vlan+
    WARNING: Cannot set ARP filtering on vlan+
    WARNING: Cannot set route filtering on vlan+

in shorewalls output.

Other than listing each vlan separately (there's 32 of them on this 
box), is it possible to set these options ? I'm using a simple 
mapping between vlan and ip address, eg vlan101 is ip 10.1.101.0/24, 
vlan102 is 10.1.102.0/24 and so on.


I'm impressed with shorewall, all the time I keep finding more 
features that I can actually understand !


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to