Tom Eastep wrote over year ago: > With the solution that I implemented (allowing a list of interfaces in > the INTERFACE columns of nat and masq file), you can use variables to > name interface groups: > > /etc/shorewall/params: > > NET=eth0,eth1 > > /etc/shorewall/masq: > > #INTERFACE SOURCE ADDRESS ... > $NET ... > > I'll be releasing 4.1.4 on 1/26/2008; it will include the change.
Tom, big thanks for this solution. It is working well last year. So well, so I can little suggestion for You to consider. This isn't MHB or my need. Rather for consistency: All VPN I setup from OpenVPN tunnels. But last month I must set IPsec tunnels. When I set up IPsec tunnels, I need to expand internal security zones to tunneled adresses on external internet Interfaces. And in this place (hosts file) I need to declare delegated addresses of my internal security zone for all BGP interfaces separatelly, ie.: > crp eth2:172.23.0.0/18 ipsec > crp eth3:172.23.0.0/18 ipsec > crp eth2:172.31.201.0/24 ipsec > crp eth3:172.31.201.0/24 ipsec After Your change from 4.1.4 I can use variable defined as list of interfaces, but only in masq or nat files. Not in hosts. I have only two ipsec delegations, so it is not a problem. But if anybody builds IPsec tunnels mainly, this can be seen as incostistency. So maybe You should consider expand syntax with list od interfaces to hosts file too? Thanks for Your great job. Best regards Andrzej Odyniec Warsaw, Poland ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
