| Version 2 (modified by , 16 years ago) ( diff ) |
|---|
Virtual Interfaces
Linux has two mechanisms for handling more than one ipaddress on a interface. The first one creates a new virtual device, in the form of 'eth0:0'. The second just adds another ipaddress to an existing device. Both are supported by Vuurmuur.
Creating a virtual interface
To create a virtual interface one has to take the same steps as with creating a normal interface:
- go to Interfaces
- press 'insert'
- enter the name
- enter the ipaddress
- enter the device
Now press F5 to enable 'Advanced options'. A checkbox called 'Virtual' becomes visible. Enable it.
The next step is to attach the interface to the network it sits in.
Creating rules with virtual interfaces
For most parts a virtual interface in Vuurmuur is just like a normal interface, so there are no special remarks about the rules. However, most people using virtual interfaces probably have a firewall that has multiple public ipaddresses, and want different rules per ipaddress. The following example assumes a firewall with two interfaces on the internet, in the network world.inet:
- wan-34, with device ppp0 and ipaddress 12.12.34.34
- wan-35, with device ppp0:0 (so virtual) and ipaddress 12.12.34.35
Now the ipaddresses 34 and 35 are both to be used for different mailservers which sit behind the firewall in a privately address network local.lan.
First, lets make sure that the two servers only use the public ipaddress that is meant for them when sending out mails using smtp:
accept service smtp from redmailserver.local.lan to world.inet options out_int="wan-34" snat service smtp from redmailserver.local.lan to world.inet options out_int="wan-34" accept service smtp from bluemailserver.local.lan to world.inet options out_int="wan-35" snat service smtp from bluemailserver.local.lan to world.inet options out_int="wan-35"
Next, we want users on the internet to use 12.12.34.34 for the redmailserver and 12.12.34.35 for the blue one:
portfw service imap from world.inet to redmailserver.local.lan options in_int="wan-34" portfw service pop3 from world.inet to redmailserver.local.lan options in_int="wan-34" portfw service smtp from world.inet to redmailserver.local.lan options in_int="wan-34" portfw service imap from world.inet to bluemailserver.local.lan options in_int="wan-35" portfw service pop3 from world.inet to bluemailserver.local.lan options in_int="wan-35" portfw service smtp from world.inet to bluemailserver.local.lan options in_int="wan-35"
As you can see the in_int and the out_int options are crucial here.
