Tom Eastep wrote:

>  > A situation for using an IFB ?
>
>I doubt it. Unless the OP has public IP addresses assigned to all
>internal systems, an IFB doesn't work for limiting traffic per-host. The
>reason is that the destination address of the traffic hasn't been
>'de-NATted' yet when it goes through the IFB.

Ahh, I'd overlooked that subtlety - the joys of working with real 
addresses at work :-)

An alternative that comes to mind is to run multiple hosts (possibly 
virtual). One does the external firewall stuff (inc NAT), and another 
sits between that and the internal networks. Messy, but it would 
leave the de-natted traffic on one interface to be shaped.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to