[ale] Shorewall and multiple ips

Greg Canter gcanter at speedfactory.net
Sun Mar 9 01:35:32 EST 2008 

Yes, I saw it, but I am not using it in the "i" or "o" configurations.  It
then goes on to state
"Shorewall does not allow them to be used in the /etc/shorewall/interfaces
file or anywhere else except as described in the discussion below.

Adding Addresses to Interfaces

Most distributions have a facility for adding additional addresses to
interfaces. If you have already used your distribution's capability to add
your required addresses, you can skip this section.

Shorewall provides facilities for automatically adding addresses to
interfaces as described in the following section. It is also easy to add
them yourself using the ip utility. The above alias was added using:

ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0
You probably want to arrange to add these addresses when the device is
started rather than placing commands like the above in one of the Shorewall
extension scripts. For example, on RedHat systems, you can place the
commands in /sbin/ifup-local:

#!/bin/sh

case $1 in
    eth0)
        /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
        ;;
esac
RedHat systems also allow adding such aliases from the network
administration GUI (which only works well if you have a graphical
environment on your firewall)." blah blah blah

I am not sure why they reference ip and ifconfig unless maybe they are using
their output ?  If so then it kinda looks like I can run
"up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label
eth0:0" to set my alias.  However running ip already shows its done.

mylogin at myslice ~/rails_app: ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 40:40:d0:4e:60:d9 brd ff:ff:ff:ff:ff:ff
    inet 208.78.96.217/24 brd 208.78.96.255 scope global eth0
    inet 67.207.146.38/24 brd 67.207.146.255 scope global eth0:1
    inet 67.207.146.141/24 brd 67.207.146.255 scope global secondary eth0:2
    inet6 fe80::4240:d0ff:fe4e:60d9/64 scope link
       valid_lft forever preferred_lft forever

I sent a message to the list asking for help and to the Slicehost forums
also.  The Slicehost forums suggested I just use iptables.  I have not
gotten anything back from the Slicehost list yet.  Hopefully it's just
something in my config files.

Yeah, I wish Linux would follow FreeBSD and adopt pf in it's glory and
simplicity.  My world would be a whole lot simpler.

If I can't get Shorewall to work then I will try to just use iptables and
use the physical interface (if Jim Popovitch recalls correctly).

It's curious as I would expect the usage of aliases to be pretty widespread.

- Greg


On 3/8/08 9:11 PM, "Brian Pitts" <brian at polibyte.com> wrote:

> Greg Canter wrote:
>> I currently am setting up a firewall on a vps slice from Slicehost.  I have
>> 3 dedicated IP addresses and one interface.  The ip addresses are on eth0,
>> eth0:1, and eth0:2.  As you can see, the last2 addresses are on aliases.
>> 
>> I am trying to get Shorewall to set up the firewall but am having some
>> difficulties.  My questions are
>> 
>> 1) Does anyone have any experience with Shorewall and if so can it be used
>> for this purpose ?  And
>> 
>> 2) Can iptables handle each IP separately or does it just handle interfaces
>> ?
>> 
>> Alas, Mr. Google has failed me in a definitive answer and thus I am looking
>> for any clues, hints , etc from the list.  My experience in firewalls is
>> primarily in OpenBSD and pf.
>> 
> 
> Hi Greg,
> 
> Did you take a look at
> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html ?
> 
> It says "The iptables program doesn't support virtual interfaces in
> either its ³-i² or ³-o² command options; as a consequence, Shorewall
> does not allow them to be used in the /etc/shorewall/interfaces file or
> anywhere else except as described in the discussion below."
> 
> -Brian
> 
> PS - Ubuntu is working on an iptables configuration tool that uses
> OpenBSD's pf syntax, but they haven't added router/gateway
> configuration, NAT, QoS configuration, /proc adjustments, and the like
> yet. https://wiki.ubuntu.com/UbuntuFirewall
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

More information about the Ale mailing list