Robert Lindgren wrote: > > I'd like some guidelines for setting up a little stricter rules than > in the default zones in the three interface example, and having used > other firewall before I have some questions about what is the best way > setting up things. > > Example: I want ntp from a group of internal server be able to access > ntp on a two servers in a dmz, and nothing else. > > I have configured shorewall like this: > > Interfaces: > - eth0 detect > - eth1 detect > > Zones: > dmz ipv4 > serv1:dmz ipv4 > loc ipv4 > serv2:loc ipv4 > > Hosts: > net eth0:192.168.1.0/24 > serv1 eth0:192.168.1.1,192.168.1.2 > loc eth1:192.168.2.0/24 > serv2 eth1:192.168.2.1,192.168.2.2 > > Rules: > NTP/ACCEPT serv2 serv1 > > This works as expected, but is this the way to do it? Doing the config > this way will create loads of zones. But I can't figure out any other > way, so can someone enlighten me if I'm on the right track or not :) > > I use shorewall 3.4.4.
I would qualify the SOURCE and DEST in /etc/shorewall/rules rather than create 1000s of zones. /etc/shorewall/interfaces: net eth0 ... loc eth1 ... /etc/shorewall/rules: NTP/ACCEPT loc:192.168.3.2,192.168.2.2 net:192.168.1.1,192.168.1.2 You can use shell variables in place of the individual addresses to make writing the rules easier (see http://www.shorewall.net/configuration_file_basics.html#Variables). /etc/shorewall/params SERV1=192.168.1.1,192.168.1.2 SERV2=192.168.2.1,192.168.2.2 /etc/shorewall/rules: NTP/ACCEPT loc:$SERV2 net:$SERV1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
