Michael, I think it will be simpler if I put one network card in the server and one in the workstation and have then on their own segment (192.168.1.x). in this case I can just add a new route on each machine and all the traffic between the two machines will pass through this link. I'll test this later this week if i have the time. Thanks for your help! Charles On 6/15/07, Rosberg, Michael <m [ dot ] rosberg [ at ] telesat [ dot ] ca> wrote: > > Hi Charles, > > > > I'm afraid I haven't worked with Shorewall rulesets before, so I'm not the > best person to comment on your configuration. It shouldn't be too difficult > to validate your config with some testing, as you'd planned to do. If you > don't see the results you were expecting do post back as there are some more > generic ways for us to discuss your firewall setup. > > > > Good luck, > > MikeR. > > > > -----Original Message----- > *From:* Charles Nadeau [mailto:charles [ dot ] nadeau [ at ] gmail [ dot ] com] > *Sent:* Thursday, June 14, 2007 3:39 PM > *To:* Rosberg, Michael > *Cc:* linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > *Subject:* Re: [OCLUG-Tech] Routing traffic by port number to two > interfaces > > > > Michael, > > I went through the documentation of Shorewall and wrote these 4 files I'll > test over the week-end (I am at work now in a Windows-only environment). > > Zones: > #Zone Type Options IN Options OUT Options > fw firewall > data ipv4 > rest ipv4 > > Policy: > #Source zone destination zone policy log level limit:burst > data rest drop > rest data drop > fw rest accept err > fw data accept err > data fw accept err > rest fw accept err > > Interfaces: > #Source zone destination zone policy log level limit:burst > data rest drop > rest data drop > fw rest accept err > fw data accept err > data fw accept err > rest fw accept err > > Rules: > #Action Source Dest Proto Dest port(s) Comments > Accept fw data tcp 111 #portmapper > Accept fw data udp 111 > Accept fw data tcp 2049 #rpc.nfsd > Accept fw data udp 2049 > Accept fw data tcp 4000:4002 # rpc.statd, rpc.lockd, > rpc.mountd > Accept fw data udp 4000:4002 > Accept fw data tcp 4003 # rpc.rquotad > Accept fw data udp 4003 > Accept data fw tcp 111 #portmapper > Accept data fw udp 111 > Accept data fw tcp 2049 #rpc.nfsd > Accept data fw udp 2049 > Accept data fw tcp 4000:4002 # rpc.statd, rpc.lockd, > rpc.mountd > Accept data fw udp 4000:4002 > Accept data fw tcp 4003 # rpc.rquotad > Accept data fw udp 4003 > SMB/Accept fw data #Samba > SMB/Accept data fw > Accept fw data tcp 1077:1080 #NBD > Accept data fw tcp 1077:1080 > Reject fw rest tcp 111 #portmapper > Reject fw rest udp 111 > Reject fw rest tcp 2049 #rpc.nfsd > Reject fw rest udp 2049 > Reject fw rest tcp 4000:4002 # rpc.statd, rpc.lockd, > rpc.mountd > Reject fw rest udp 4000:4002 > Reject fw rest tcp 4003 # rpc.rquotad > Reject fw rest udp 4003 > Reject rest fw tcp 111 #portmapper > Reject rest fw udp 111 > Reject rest fw tcp 2049 #rpc.nfsd > Reject rest fw udp 2049 > Reject rest fw tcp 4000:4002 # rpc.statd, rpc.lockd, > rpc.mountd > Reject rest fw udp 4000:4002 > Reject rest fw tcp 4003 # rpc.rquotad > Reject rest fw udp 4003 > SMB/Reject fw rest #Samba > SMB/Reject rest fw > Reject fw rest tcp 1077:1080 #NBD > Reject rest fw tcp 1077:1080 > > Does the rules file seems right? I set it up to allow data related traffic > between one zone and the file server itself and block it between the other > zone and the file server. I was wondering if I have to specify both or > specifying one implicitly specify the other. > Thanks! > > Charles > > On 6/14/07, *Rosberg, Michael* <m [ dot ] rosberg [ at ] telesat [ dot ] ca> wrote: > > > -----Original Message----- > > From: linux-bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca [mailto:linux- > > bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca] On Behalf Of Charles Nadeau > > Sent: Thursday, June 14, 2007 12:08 PM > > To: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > Subject: [OCLUG-Tech] Routing traffic by port number to two interfaces > > > > Hi, > > > > I have a quick question for the networking experts on the list: > > > > I have a file server with two network cards (eth0 and eth1). Each of > them > > will be linked to two different switches. > > I would like to use one of the two network cards for NFS, NBD and > SMB/CIFS > > traffic only. > > Charles, > > One option would be to specify the interface(s) that Samba service will > listen on. Take a look at the following config parameter which I cut > from the smb.conf man page; > > "bind interfaces only (G) > This global parameter allows the Samba admin to > limit what interfaces on a machine will serve SMB requests. It affects > file service smbd(8) and name service nmbd(8) in a slightly different > ways." > > A quick answer to your other questions; yes, it is possible for a Linux > computer to have two network cards on the same IP subnet. In most cases > both interfaces would require a unique IP address. And yes it is > possible to configure Shorewall (or technically any iptables > implementation) to allow specific applications through one network > interface and not through others. > > MikeR. > > > > > -- > Charles Nadeau Ph.D. > http://charlesnadeau.blogspot.com/ > http://radio.weblogs.com/0111823/ > Un emploi pour moi? Voila mon CV: > http://resumes.hotjobs.com/charlesnadeau/resumeprincipal > Got a job for me? Here is my Resume: > http://resumes.hotjobs.com/charlesnadeau/resumeprincipal > -- Charles Nadeau Ph.D. http://charlesnadeau.blogspot.com/ http://radio.weblogs.com/0111823/ Un emploi pour moi? Voila mon CV: http://resumes.hotjobs.com/charlesnadeau/resumeprincipal Got a job for me? Here is my Resume: http://resumes.hotjobs.com/charlesnadeau/resumeprincipal