mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 23:59:01 +01:00
645 lines
17 KiB
XML
645 lines
17 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
|
<article id="Multiple_Zones">
|
||
|
<articleinfo>
|
||
|
<title>Multiple Zones per Interface</title>
|
||
|
|
||
|
<authorgroup>
|
||
|
<author>
|
||
|
<firstname>Tom</firstname>
|
||
|
|
||
|
<surname>Eastep</surname>
|
||
|
</author>
|
||
|
</authorgroup>
|
||
|
|
||
|
<pubdate>2003-11-21</pubdate>
|
||
|
|
||
|
<copyright>
|
||
|
<year>2003</year>
|
||
|
|
||
|
<holder>Thomas M. Eastep</holder>
|
||
|
</copyright>
|
||
|
|
||
|
<legalnotice>
|
||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||
|
document under the terms of the GNU Free Documentation License, Version
|
||
|
1.2 or any later version published by the Free Software Foundation; with
|
||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
|
Texts. A copy of the license is included in the section entitled "<ulink
|
||
|
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
||
|
</legalnotice>
|
||
|
</articleinfo>
|
||
|
|
||
|
<section>
|
||
|
<title>Introduction</title>
|
||
|
|
||
|
<para>While most configurations can be handled with each of the
|
||
|
firewall's network interfaces assigned to a single zone, there are
|
||
|
cases where you will want to divide the hosts accessed through an
|
||
|
interface between two or more zones.</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>The interface has multiple addresses on multiple subnetworks.
|
||
|
This case is covered in the <ulink
|
||
|
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
||
|
documentation</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>You are using some form of NAT and want to access a server by
|
||
|
its external IP address from the same LAN segment. This is covered in
|
||
|
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>There are routers accessible through the interface and you want
|
||
|
to treat the networks accessed through that router as a separate zone.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Some of the hosts accessed through an interface have
|
||
|
significantly different firewalling requirements from the others so
|
||
|
you want to assign them to a different zone.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>The key points to keep in mind when setting up multiple zones per
|
||
|
interface are:</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>Shorewall generates rules for zones in the order that the zone
|
||
|
declarations appear in /etc/shorewall/zones.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
||
|
far as the generated ruleset is concerned.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para><emphasis role="bold">These examples use the local zone but the same
|
||
|
technique works for any zone.</emphasis> Remember that Shorewall
|
||
|
doesn't have any conceptual knowledge of "Internet",
|
||
|
"Local", or "DMZ" so all zones except the firewall itself
|
||
|
($FW) are the same as far as Shorewall is concerned. Also, the examples
|
||
|
use private (RFC 1918) addresses but public IP addresses can be used in
|
||
|
exactly the same way.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Router in the Local Zone</title>
|
||
|
|
||
|
<para>Here is an example of a router in the local zone.</para>
|
||
|
|
||
|
<note>
|
||
|
<para> the <emphasis role="bold">box called "Router" could be a
|
||
|
VPN server</emphasis> or other such device; from the point of view of
|
||
|
this discussion, it makes no difference.</para>
|
||
|
</note>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1.png" />
|
||
|
|
||
|
<section>
|
||
|
<title>Can You Use the Standard Configuration?</title>
|
||
|
|
||
|
<para>In many cases, the <ulink url="two-interface.htm">standard
|
||
|
two-interface Shorewall setup</ulink> will work fine in this
|
||
|
configuration. It will work if:</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>The firewall requirements to/from the internet are the same
|
||
|
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>The hosts in 192.168.1.0/24 know that the route to
|
||
|
192.168.2.0/24 is through the <emphasis role="bold">router</emphasis>.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>All you have to do on the firewall is add a route to
|
||
|
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
||
|
restart Shorewall.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Will One Zone be Enough?</title>
|
||
|
|
||
|
<para>If the firewalling requirements for the two local networks is the
|
||
|
same but the hosts in 192.168.1.0/24 don't know how to route to
|
||
|
192.168.2.0/24 then you need to configure the firewall slightly
|
||
|
differently. This type of configuration is rather stupid from an IP
|
||
|
networking point of view but it is sometimes necessary because you
|
||
|
simply don't want to have to reconfigure all of the hosts in
|
||
|
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
||
|
firewall:</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
||
|
role="bold">Router</emphasis>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Set the 'routeback' and 'newnotsyn' options
|
||
|
for eth1 (the local firewall interface) in
|
||
|
/etc/shorewall/interfaces.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Restart Shorewall.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>I Need Separate Zones</title>
|
||
|
|
||
|
<para>If you need to make 192.168.2.0/24 into it's own zone, you can
|
||
|
do it one of two ways; Nested Zones or Parallel Zones.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Nested Zones</title>
|
||
|
|
||
|
<para>You can define one zone (called it 'loc') as being all
|
||
|
hosts connectied to eth1 and a second zone 'loc1'
|
||
|
(192.168.2.0/24) as a sub-zone.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1A.png" />
|
||
|
|
||
|
<para>The advantage of this approach is that the zone 'loc1'
|
||
|
can use CONTINUE policies such that if a connection request
|
||
|
doesn't match a 'loc1' rule, it will be matched against
|
||
|
the 'loc' rules. For example, if your loc1->net policy is
|
||
|
CONTINUE then if a connection request from loc1 to the internet
|
||
|
doesn't match any rules for loc1->net then it will be checked
|
||
|
against the loc->net rules.</para>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/zones</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">DISPLAY</entry>
|
||
|
|
||
|
<entry align="center">COMMENTS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>Local2</entry>
|
||
|
|
||
|
<entry>Hosts access through internal router</entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>Local</entry>
|
||
|
|
||
|
<entry>All hosts accessed via eth1</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<note>
|
||
|
<para>the sub-zone (loc1) is defined first!</para>
|
||
|
</note>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/interfaces</title>
|
||
|
|
||
|
<tgroup cols="4">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">INTERFACE</entry>
|
||
|
|
||
|
<entry align="center">BROADCAST</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>eth1</entry>
|
||
|
|
||
|
<entry>192.168.1.255</entry>
|
||
|
|
||
|
<entry>...</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/hosts</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">HOSTS</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>eth1:192.168.2.0/24</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<para>If you don't need Shorewall to set up infrastructure to
|
||
|
route traffic between 'loc' and 'loc1', add these two
|
||
|
policies:</para>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/policy</title>
|
||
|
|
||
|
<tgroup cols="5">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">SOURCE</entry>
|
||
|
|
||
|
<entry align="center">DEST</entry>
|
||
|
|
||
|
<entry align="center">POLICY</entry>
|
||
|
|
||
|
<entry align="center">LOG LEVEL</entry>
|
||
|
|
||
|
<entry align="center">RATE:BURST</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Parallel Zones</title>
|
||
|
|
||
|
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||
|
two disjoint zones.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1B.png" />
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/zones</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">DISPLAY</entry>
|
||
|
|
||
|
<entry align="center">COMMENTS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>Local1</entry>
|
||
|
|
||
|
<entry>Hosts accessed Directly from Firewall</entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc2</entry>
|
||
|
|
||
|
<entry>Local2</entry>
|
||
|
|
||
|
<entry>Hosts accessed via internal Router</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<note>
|
||
|
<para>Here it doesn't matter which zone is defined first.</para>
|
||
|
</note>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/interfaces</title>
|
||
|
|
||
|
<tgroup cols="4">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">INTERFACE</entry>
|
||
|
|
||
|
<entry align="center">BROADCAST</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>-</entry>
|
||
|
|
||
|
<entry>eth1</entry>
|
||
|
|
||
|
<entry>192.168.1.255</entry>
|
||
|
|
||
|
<entry>...</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/hosts</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">HOSTS</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>eth1:192.168.1.0/24</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc2</entry>
|
||
|
|
||
|
<entry>eth1:192.168.2.0/24</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<para>If you don't need Shorewall to set up infrastructure to
|
||
|
route traffic between 'loc' and 'loc1', add these two
|
||
|
policies:</para>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/policy</title>
|
||
|
|
||
|
<tgroup cols="5">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">SOURCE</entry>
|
||
|
|
||
|
<entry align="center">DEST</entry>
|
||
|
|
||
|
<entry align="center">POLICY</entry>
|
||
|
|
||
|
<entry align="center">LOG LEVEL</entry>
|
||
|
|
||
|
<entry align="center">RATE:BURST</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
</section>
|
||
|
</section>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Some Hosts have Special Firewalling Requirements</title>
|
||
|
|
||
|
<para>There are cases where a subset of the addresses associated with an
|
||
|
interface need special handling. Here's an example.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone2.png" />
|
||
|
|
||
|
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||
|
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/zones</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">DISPLAY</entry>
|
||
|
|
||
|
<entry align="center">COMMENTS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>Local2</entry>
|
||
|
|
||
|
<entry>192.168.1.8 - 192.168.1.15</entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>Local</entry>
|
||
|
|
||
|
<entry>All hosts accessed via eth1</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<note>
|
||
|
<para>the sub-zone (loc1) is defined first!</para>
|
||
|
</note>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/interfaces</title>
|
||
|
|
||
|
<tgroup cols="4">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">INTERFACE</entry>
|
||
|
|
||
|
<entry align="center">BROADCAST</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>eth1</entry>
|
||
|
|
||
|
<entry>192.168.1.255</entry>
|
||
|
|
||
|
<entry>...</entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/hosts</title>
|
||
|
|
||
|
<tgroup cols="3">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">ZONE</entry>
|
||
|
|
||
|
<entry align="center">HOSTS</entry>
|
||
|
|
||
|
<entry align="center">OPTIONS</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>eth1:192.168.2.0/24</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
|
||
|
<para>You probably don't want Shorewall to set up infrastructure to
|
||
|
route traffic between 'loc' and 'loc1' so you should add
|
||
|
these two policies:</para>
|
||
|
|
||
|
<table>
|
||
|
<title>/etc/shorewall/policy</title>
|
||
|
|
||
|
<tgroup cols="5">
|
||
|
<thead>
|
||
|
<row>
|
||
|
<entry align="center">SOURCE</entry>
|
||
|
|
||
|
<entry align="center">DEST</entry>
|
||
|
|
||
|
<entry align="center">POLICY</entry>
|
||
|
|
||
|
<entry align="center">LOG LEVEL</entry>
|
||
|
|
||
|
<entry align="center">RATE:BURST</entry>
|
||
|
</row>
|
||
|
</thead>
|
||
|
|
||
|
<tbody>
|
||
|
<row>
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
|
||
|
<row>
|
||
|
<entry>loc1</entry>
|
||
|
|
||
|
<entry>loc</entry>
|
||
|
|
||
|
<entry>NONE</entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
|
||
|
<entry></entry>
|
||
|
</row>
|
||
|
</tbody>
|
||
|
</tgroup>
|
||
|
</table>
|
||
|
</section>
|
||
|
</article>
|