Tom Eastep wrote: > > A situation for using an IFB ? > >I doubt it. Unless the OP has public IP addresses assigned to all >internal systems, an IFB doesn't work for limiting traffic per-host. The >reason is that the destination address of the traffic hasn't been >'de-NATted' yet when it goes through the IFB.
Ahh, I'd overlooked that subtlety - the joys of working with real addresses at work :-) An alternative that comes to mind is to run multiple hosts (possibly virtual). One does the external firewall stuff (inc NAT), and another sits between that and the internal networks. Messy, but it would leave the de-natted traffic on one interface to be shaped. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users