Tom Eastep wrote: > > I've got stuff almost sorted now, but obviously vlan-vlan security is >> important - will be different tenants. It appears that I can't >> combine wildcards with route filtering and arp filtering, so if I put >> : >> >> cust vlan+ detect >> tcpflags,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2 >> >> in my interfaces file, I get : >> WARNING: Cannot set ARP filtering on vlan+ >> WARNING: Cannot set ARP filtering on vlan+ >> WARNING: Cannot set route filtering on vlan+ >> >> in shorewalls output. >> >> Other than listing each vlan separately (there's 32 of them on this >> box), is it possible to set these options ?
>Sure -- set them yourself in a simple shell script (or if you are using a >Debian-based distribution, set the options in a 'post-up' record in your >interfaces file. Can I just confirm I've got this right. I'm using Debian Etch, so in interfaces I've put : up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter in the vlan101 stanza and similarly for the other interfaces. arp_filter and arp_ignore are obvious, I assume routefilter maps to the rp_filter file ? ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
