Re: [Shorewall-users] Correct configuration of "unused" parent interfaces

Tue, 24 Jul 2018 09:57:09 -0700 

On 07/24/2018 04:04 AM, Timo Sigurdsson wrote:
> Hi,
> 
> I use shorewall 5.0.15.6 on my router running Debian 9. I have several 
> interfaces which I don't use directly for IP traffic but rather as "parents" 
> for other interfaces such as VLANs, for example. I wonder how to properly 
> configure them, since I don't want any traffic to pass these interfaces 
> unaccounted for.
> 
> Example: My external connection is a PPPoE connection, so my external 
> interface is "ppp0". Since it's a VDSL line, the PPPoE traffic has to be 
> tagged with a specific VLAN ID. Hence ppp0 sits on top of interface "eth0.7" 
> - which in return sits on top of interface "eth0". eth0 and eth0.7 don't get 
> IP addresses (except for the link local IPv6 addresses fe80:.* which are 
> automatically assigned) and should not accept or send any IP traffic.
> 
> My current setup is that I put my "unused" parent interfaces in a zone "raw" 
> in /etc/shorewall{6,}/interfaces. But I don't set any policy for the zone raw 
> in /etc/shorewall{6,}/policy. I'm assuming this way the last policy "all all 
> REJECT" applies to these interfaces.
> 
> But I'm wondering: Does this approach make sense? Is there a better way to 
> deal with such interfaces? Or is it even necessary to mention these 
> interfaces in the shorewall configuration (or in other terms, what happens to 
> additional interfaces that are not mentioned in the shorewall configuration)? 
> Thanks!
> 
> 

You don't need to mention these interfaces at all.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to