Hi, I have the following config files with Shorewall 4.08:
[r...@localhost shorewall]# cat zones fw firewall net ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 [r...@localhost shorewall]# cat interfaces net eth0 detect routefilter,tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs corp eth4 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs,routeback kvm eth3 detect tcpflags,nosmurfs road tun+ [r...@localhost shorewall]# cat rules DNAT net dmz:172.18.222.130:443 tcp 443 - 45.124.144.12 DNAT net dmz:172.18.222.134:443 tcp 443 - 45.124.144.44 I need to only allow a list of IPs and subnets to 172.18.222.130. My OS does not support ipsets without patching so I was going to create a sub zone of net called netok. Does this look sane? zones fw firewall net ipv4 netok ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 interfaces - eth0 detect routefilter,tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs corp eth4 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs,routeback kvm eth3 detect tcpflags,nosmurfs road tun+ hosts net eth0 netok eth0:122.55.62.0/24 netok eth0:125.55.62.0/24 netok eth0:152.55.62.0/24 netok eth0:125.55.52.55 rules DNAT net dmz:172.18.222.134:443 tcp 443 - 45.124.144.44 DNAT netok dmz:172.18.222.130:443 tcp 443 - 45.124.144.12 policy net netok NONE netok net NONE ... Does anyone see a problem with this? Thanks, Pete
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
