Linux Advocate wrote: >i thought vlans could only be done by switches, not by shorewall. >cant seem to find the doc page about vlan setup at the shorewall >site. or is thevlan setup done in the OS and not thru shorewall?
The setup is done in the OS, for example, this is a snippet from a Debian /etc/network/interfaces file : >auto ethint >iface ethint inet static > address 10.1.1.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo "Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD" > /proc/net/vlan/config > > >auto vlan101 >iface vlan101 inet static > address 10.1.101.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter > up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore > up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter > > >auto vlan102 >iface vlan102 inet static > address 10.1.102.1 > netmask 255.255.255.0 > vlan_raw_device ethint > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/arp_filter > up echo 2 > /proc/sys/net/ipv4/conf/vlan102/arp_ignore > up echo 1 > /proc/sys/net/ipv4/conf/vlan102/rp_filter Then for the Shorewall config. Interfaces : >net ethext detect >tcpflags,routefilter,nosmurfs,logmartians,arp_filter,arp_ignore=1 >tech ethint detect >tcpflags,detectnets,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2 >cust vlan+ detect tcpflags,nosmurfs,routeback,dhcp zones: >fw firewall >net ipv4 >tech ipv4 >cust ipv4 and configure your policies and rules are required For this particular box, I configured the native ethint to be a 'tech' subnet with things like the network switches and any shared services (eg DNS). One VLAN was allocated to each tenant, with DHCP DNS, etc all provided. Policies were set to block everything except cust->net, and then permit only those other connections (eg cust -> tech for DNS) required for things to work. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
