Re: [Shorewall-users] Single rules in dual-homing

Tom Eastep Mon, 14 Jan 2008 19:37:33 -0800

Tom Eastep wrote:
> Andrzej Odyniec wrote:
> 
>> Here is a question: is there option to enable possibility of write zone name 
>> instead interface name in any rules file for automatically duplication rules 
>> for all interfaces in zone (or other method of groupping interfaces)? Or 
>> maybe 
>> exist other method to direct records about one interface automatically to 
>> another?
> 
> I'll think about the notion of an 'interface group' -- I won't use zone
> names. Zones are security objects and should not be used for specifying
> packet rewriting. If I could design Shorewall over again, I wouldn't
> even have DNAT and REDIRECT rules in the rules file but would rather
> have a separate file for specifying DNAT/REDIRECT.


Here's an excerpt from the 4.1.4 release notes. HTH.

3)  The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
    comma-separated list of interface names where before only a single
    interface name could be listed (Shorewall-perl only).

    This feature is not for beginners. It iterates over the
    list of interfaces, substituting each interface in place of the
    list and processing the resulting entry according to the semantics
    of earlier Shorewall versions. If you don't know where to use this,
    don't try.

    Example 1:

    /etc/shorewall/masq:

    #INTERFACE              SOURCE          ADDRESS
    eth0,eth1               eth2            1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0                    eth2            1.2.3.4
    eth1                    eth2            1.2.3.4

    Example 2:

    /etc/shorewall/masq:

    #INTERFACE                  SOURCE      ADDRESS
    eth0,eth1::192.168.1.0/24   eth2        1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0::192.168.1.0/24    eth2            1.2.3.4
    eth1::192.168.1.0/24    eth2            1.2.3.4

    Example 3:

    /etc/shorewall/nat:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0,wlan0      192.168.1.3

    equivalent to:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0            192.168.1.3
    206.124.146.178  wlan0           192.168.1.3

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Single rules in dual-homing

Reply via email to