Hi, My network is 10.215.0.0/255.255.0.0. I set it up this way for convenience only. Actually, all my hosts are within 10.215.144-147.xxx and 10.215.246-248.xxx (shorewall zone 'loc').
I have a router linking me to another location (shorewall zone net2) where there are other hosts within, say, 10.215.0.xxx and 10.215.147.xxx (and more). I only require 10.215.144-145.xxx and 10.215.246-248.xxx hosts in 'loc' to communicate with any hosts within 'net2' unless the ranges collide. In other words, 'loc' hosts do NOT require to talk to 'net2' hosts 10.215.146-147.xxx (but they need to talk to 'loc' hosts 10.215.146-147.xxx) and 'net2' hosts do NOT require to talk to 'loc' hosts 10.215.146-147.xxx. So this is why I simply setup a "wide" netmask for the 'loc' zone (255.255.0.0) and defined routes to all the 'net2' hosts through the remote router. eg.: routes to remote router 172.20.11.49: "10.215.0.0 netmask 255.255.128.0 gw 172.20.11.49" "10.215.128.0 netmask 255.255.240.0 gw 172.20.11.49" "10.215.148.0 netmask 255.255.252.0 gw 172.20.11.49" "10.215.152.0 netmask 255.255.248.0 gw 172.20.11.49" "10.215.160.0 netmask 255.255.224.0 gw 172.20.11.49" "10.215.192.0 netmask 255.255.224.0 gw 172.20.11.49" "10.215.224.0 netmask 255.255.240.0 gw 172.20.11.49" "10.215.240.0 netmask 255.255.252.0 gw 172.20.11.49" "10.215.244.0 netmask 255.255.254.0 gw 172.20.11.49" "10.215.249.0 netmask 255.255.255.0 gw 172.20.11.49" "10.215.250.0 netmask 255.255.254.0 gw 172.20.11.49" "10.215.252.0 netmask 255.255.252.0 gw 172.20.11.49" Then I configured Shorewall's policy to DROP everything from 'loc' to 'net2' and added ALLOW rules from loc:10.215.144-145.0,10.215.246-248.0 to 'net2'. All "works well" from my standpoint (the 'loc' zone) which means that: * hosts such as 10.215.147.101 can communicate with the rest of the 'loc' hosts but not with 'net2' (Shorewall drops the packets). * 'loc' hosts can communicate with hosts such as 10.215.147.101 just as long as they're in 'loc', not 'net2' * 'net2' host 10.215.147.101 cannot communicate with hosts in 'loc' (no way back in the routing table and besides Shorewall drops net2:10.215.147.0 to loc) * any hosts in loc:10.215.144-145.0,10.215.246-248.0 can talk to any 'net2' hosts and vice versa just as long as their IP addresses are within the routing table definition above. My concern is with broadcasts. Does the shorewall DROP policy loc->net2 also drop broadcasts? Or should I use the dropBcast action? Normally, no request should come from 'net2' to a 'loc' host with IP address 10.215.147.101. If it did, wouldn't Shorewall block the broadcast from loc:10.215.147.101 to net2 anyway? Thanks, Vieri ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
