Savio Sampaio wrote:
-----And in file "started", I have: ----- shorewall add eth2:192.168.2.21 zone1 shorewall add eth2:192.168.2.22 zone1 shorewall add eth2:192.168.2.23 zone1 shorewall add eth2:192.168.2.24 zone1 shorewall add eth2:192.168.2.25 zone2 ----- The process to add all this IPs to the zones are very slow.
Of course it is. Each 'shorewall' command takes one minute because it tries to acquire the lock file which is owned by the 'shorewall' command doing the 'start' or 'restart'. That is why there is a 'nolock' option to 'shorewall':
shorewall nolock add eth2:192.168.2.21 zone1 shorewall nolock add eth2:192.168.2.22 zone1 shorewall nolock add eth2:192.168.2.23 zone1 shorewall nolock add eth2:192.168.2.24 zone1 shorewall nolock add eth2:192.168.2.25 zone2I see that this option has disappeared from the documentation :-( I'll restore it when I get a chance.
I needed to do this, because when a user logins, I need to shorewall delete user from zone1, ant I need to shorewall add user in zone2.
Not really -- see below.
I tried to use in file hosts: ---- zone1 eth2:192.168.2.0/24
Just leave off the 192.168.2.0/24. With what you have, your firewall can't send or receive limited broadcasts through eth2.
zone2 eth2:192.168.2.3 ----In this case, I need only do add or to delete user in zone2.But in this case, there are a conflict of logic of rules when the user is using proxy.
That's because the order of the zones in /etc/shorewall/zones is wrong. zone2 is a subzone of zone1 so it needs to be defined first. Or you need to explicitly declare it as a subzone:
zone2:zone1 ipv4
The system see rule to accept zone2 tcp 3128, but the system see rule to redirect zone1 3128 --> 8080. And with last "hosts" file, the user will be in 2 zones, 1 and 2. I tried use ACCEPT+ zone2 all tcp 3128 - But some thing is configured that this "ACCEPT+" is not ignored by "REDIRECT zone1" rule. I tried use shorewall-perl, but shows errors in /var/lib/shorewall/.start
We would have been happy to help you with those.
And I tried to understand "sub-zones", but not found docs to read.
man shorewall-nesting -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
