Michael, I went through the documentation of Shorewall and wrote these 4 files I'll test over the week-end (I am at work now in a Windows-only environment). Zones: #Zone Type Options IN Options OUT Options fw firewall data ipv4 rest ipv4 Policy: #Source zone destination zone policy log level limit:burst data rest drop rest data drop fw rest accept err fw data accept err data fw accept err rest fw accept err Interfaces: #Source zone destination zone policy log level limit:burst data rest drop rest data drop fw rest accept err fw data accept err data fw accept err rest fw accept err Rules: #Action Source Dest Proto Dest port(s) Comments Accept fw data tcp 111 #portmapper Accept fw data udp 111 Accept fw data tcp 2049 #rpc.nfsd Accept fw data udp 2049 Accept fw data tcp 4000:4002 # rpc.statd, rpc.lockd, rpc.mountd Accept fw data udp 4000:4002 Accept fw data tcp 4003 # rpc.rquotad Accept fw data udp 4003 Accept data fw tcp 111 #portmapper Accept data fw udp 111 Accept data fw tcp 2049 #rpc.nfsd Accept data fw udp 2049 Accept data fw tcp 4000:4002 # rpc.statd, rpc.lockd, rpc.mountd Accept data fw udp 4000:4002 Accept data fw tcp 4003 # rpc.rquotad Accept data fw udp 4003 SMB/Accept fw data #Samba SMB/Accept data fw Accept fw data tcp 1077:1080 #NBD Accept data fw tcp 1077:1080 Reject fw rest tcp 111 #portmapper Reject fw rest udp 111 Reject fw rest tcp 2049 #rpc.nfsd Reject fw rest udp 2049 Reject fw rest tcp 4000:4002 # rpc.statd, rpc.lockd, rpc.mountd Reject fw rest udp 4000:4002 Reject fw rest tcp 4003 # rpc.rquotad Reject fw rest udp 4003 Reject rest fw tcp 111 #portmapper Reject rest fw udp 111 Reject rest fw tcp 2049 #rpc.nfsd Reject rest fw udp 2049 Reject rest fw tcp 4000:4002 # rpc.statd, rpc.lockd, rpc.mountd Reject rest fw udp 4000:4002 Reject rest fw tcp 4003 # rpc.rquotad Reject rest fw udp 4003 SMB/Reject fw rest #Samba SMB/Reject rest fw Reject fw rest tcp 1077:1080 #NBD Reject rest fw tcp 1077:1080 Does the rules file seems right? I set it up to allow data related traffic between one zone and the file server itself and block it between the other zone and the file server. I was wondering if I have to specify both or specifying one implicitly specify the other. Thanks! Charles On 6/14/07, Rosberg, Michael <m [ dot ] rosberg [ at ] telesat [ dot ] ca> wrote:
> -----Original Message----- > From: linux-bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca [mailto:linux- > bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca] On Behalf Of Charles Nadeau > Sent: Thursday, June 14, 2007 12:08 PM > To: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Subject: [OCLUG-Tech] Routing traffic by port number to two interfaces > > Hi, > > I have a quick question for the networking experts on the list: > > I have a file server with two network cards (eth0 and eth1). Each of them > will be linked to two different switches. > I would like to use one of the two network cards for NFS, NBD and SMB/CIFS > traffic only. Charles, One option would be to specify the interface(s) that Samba service will listen on. Take a look at the following config parameter which I cut from the smb.conf man page; "bind interfaces only (G) This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways." A quick answer to your other questions; yes, it is possible for a Linux computer to have two network cards on the same IP subnet. In most cases both interfaces would require a unique IP address. And yes it is possible to configure Shorewall (or technically any iptables implementation) to allow specific applications through one network interface and not through others. MikeR.
-- Charles Nadeau Ph.D. http://charlesnadeau.blogspot.com/ http://radio.weblogs.com/0111823/ Un emploi pour moi? Voila mon CV: http://resumes.hotjobs.com/charlesnadeau/resumeprincipal Got a job for me? Here is my Resume: http://resumes.hotjobs.com/charlesnadeau/resumeprincipal