On 12/12/2011 15:26, Tom Eastep wrote: > On 12/12/11 6:56 AM, Ed W wrote: >> Hi, I have several internet connections and for convenience I thought it >> might be useful to group them by "type". So I tried to figure out the >> correct way to do something like: >> >> zones: >> fw firewall >> net ipv4 >> loc ipv4 >> eth:net ipv4 >> wl:net ipv4 >> ppp:net ipv4 >> >> interfaces: >> eth eth0 detect optional >> eth eth1 detect optional >> wl wlan0 detect optional >> wl wlan1 detect optional >> ppp ppp0 detect optional >> ppp ppp1 detect optional >> >> >> However, I get a warning about "net" being empty and my rules aren't >> behaving the way I expect (everything seems blocked... I have >> IMPLICIT_CONTINUE=yes) >> >> While I debug this, can I just check that the above should work as >> desired, ie I can set rules from loc/fw to net and those rules will >> implicitly apply to all the subzones eth/wl/ppp? Basically in this case >> I just want to use "net" as a group name for all my subzones. >> >> (The use case is that I might want to apply policies on classes of >> interface, eg block voip traffic over the ppp interface, but allow over >> the wl/eth interfaces) > You must define the net zone as: > > net + - > > That must be the last line in the interfaces file. And you need the > current version of Shorewall. > > -Tom
Aha! Cool. Does this last line change if my interfaces actually reads: eth eth0 detect optional eth eth1 detect optional wl wlan0 detect optional wl wlan1 detect optional ppp ppp0 detect optional ppp ppp1 detect optional # dmz eth3 detect optional loc br0 detect routeback,bridge,tcpflags,nosmurfs ie what if there are additional interfaces which aren't part of net zone? Actually, I think you might be confirming that for nested zones *by interface*, then each line in the interfaces file needs to be duplicated, once for the child and once for the parent? (And possibly order is important, child first?) Am I trying to do something sensible? Perhaps there are other ways to dice this? Thanks Ed W ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
