mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-29 01:28:50 +01:00
342 lines
13 KiB
XML
342 lines
13 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
|
<article id="Multiple_Zones">
|
||
|
<!--$Id$-->
|
||
|
|
||
|
<articleinfo>
|
||
|
<title>Routing on One Interface</title>
|
||
|
|
||
|
<authorgroup>
|
||
|
<author>
|
||
|
<firstname>Tom</firstname>
|
||
|
|
||
|
<surname>Eastep</surname>
|
||
|
</author>
|
||
|
</authorgroup>
|
||
|
|
||
|
<pubdate>2004-03-15</pubdate>
|
||
|
|
||
|
<copyright>
|
||
|
<year>2003</year>
|
||
|
|
||
|
<holder>Thomas M. Eastep</holder>
|
||
|
</copyright>
|
||
|
|
||
|
<legalnotice>
|
||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||
|
document under the terms of the GNU Free Documentation License, Version
|
||
|
1.2 or any later version published by the Free Software Foundation; with
|
||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
|
Texts. A copy of the license is included in the section entitled
|
||
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||
|
</legalnotice>
|
||
|
</articleinfo>
|
||
|
|
||
|
<section>
|
||
|
<title>Introduction</title>
|
||
|
|
||
|
<para>While most configurations can be handled with each of the
|
||
|
firewall's network interfaces assigned to a single zone, there are
|
||
|
cases where you will want to divide the hosts accessed through an
|
||
|
interface between two or more zones.</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>The interface has multiple addresses on multiple subnetworks.
|
||
|
This case is covered in the <ulink
|
||
|
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
||
|
documentation</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>You are using some form of NAT and want to access a server by
|
||
|
its external IP address from the same LAN segment. This is covered in
|
||
|
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>There are routers accessible through the interface and you want
|
||
|
to treat the networks accessed through that router as a separate zone.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Some of the hosts accessed through an interface have
|
||
|
significantly different firewalling requirements from the others so
|
||
|
you want to assign them to a different zone.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>The key points to keep in mind when setting up multiple zones per
|
||
|
interface are:</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>Shorewall generates rules for zones in the order that the zone
|
||
|
declarations appear in /etc/shorewall/zones.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
||
|
far as the generated ruleset is concerned.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para><emphasis role="bold">These examples use the local zone but the same
|
||
|
technique works for any zone.</emphasis> Remember that Shorewall
|
||
|
doesn't have any conceptual knowledge of <quote>Internet</quote>,
|
||
|
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
|
||
|
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
|
||
|
the examples use private (RFC 1918) addresses but public IP addresses can
|
||
|
be used in exactly the same way.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Router in the Local Zone</title>
|
||
|
|
||
|
<para>Here is an example of a router in the local zone.</para>
|
||
|
|
||
|
<note>
|
||
|
<para>the <emphasis role="bold">box called <quote>Router</quote> could
|
||
|
be a VPN server</emphasis> or other such device; from the point of view
|
||
|
of this discussion, it makes no difference.</para>
|
||
|
</note>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1.png" />
|
||
|
|
||
|
<section>
|
||
|
<title>Can You Use the Standard Configuration?</title>
|
||
|
|
||
|
<para>In many cases, the <ulink url="two-interface.htm">standard
|
||
|
two-interface Shorewall setup</ulink> will work fine in this
|
||
|
configuration. It will work if:</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>The firewall requirements to/from the internet are the same
|
||
|
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>The hosts in 192.168.1.0/24 know that the route to
|
||
|
192.168.2.0/24 is through the <emphasis role="bold">router</emphasis>.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>All you have to do on the firewall is add a route to
|
||
|
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
||
|
restart Shorewall.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Will One Zone be Enough?</title>
|
||
|
|
||
|
<para>If the firewalling requirements for the two local networks is the
|
||
|
same but the hosts in 192.168.1.0/24 don't know how to route to
|
||
|
192.168.2.0/24 then you need to configure the firewall slightly
|
||
|
differently. This type of configuration is rather stupid from an IP
|
||
|
networking point of view but it is sometimes necessary because you
|
||
|
simply don't want to have to reconfigure all of the hosts in
|
||
|
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
||
|
firewall:</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
||
|
role="bold">Router</emphasis>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
|
||
|
options for eth1 (the local firewall interface) in
|
||
|
/etc/shorewall/interfaces.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Restart Shorewall.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>I Need Separate Zones</title>
|
||
|
|
||
|
<para>If you need to make 192.168.2.0/24 into it's own zone, you can
|
||
|
do it one of two ways; Nested Zones or Parallel Zones.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Nested Zones</title>
|
||
|
|
||
|
<para>You can define one zone (called it <quote>loc</quote>) as being
|
||
|
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
|
||
|
(192.168.2.0/24) as a sub-zone.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1A.png" />
|
||
|
|
||
|
<para>The advantage of this approach is that the zone <quote>loc1</quote>
|
||
|
can use CONTINUE policies such that if a connection request
|
||
|
doesn't match a <quote>loc1</quote> rule, it will be matched
|
||
|
against the <quote>loc</quote> rules. For example, if your
|
||
|
loc1->net policy is CONTINUE then if a connection request from
|
||
|
loc1 to the internet doesn't match any rules for loc1->net
|
||
|
then it will be checked against the loc->net rules.</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||
|
loc1 Local1 Hosts accessed through internal router
|
||
|
loc Local All hosts accessed via eth1</programlisting>
|
||
|
|
||
|
<note>
|
||
|
<para>the sub-zone (loc1) is defined first!</para>
|
||
|
</note>
|
||
|
|
||
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||
|
loc eth1 192.168.1.255</programlisting>
|
||
|
|
||
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE HOSTS
|
||
|
loc1 eth1:192.168.2.0/24</programlisting>
|
||
|
|
||
|
<para>If you don't need Shorewall to set up infrastructure to
|
||
|
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
||
|
these two policies.</para>
|
||
|
|
||
|
<para>/etc/shorewall/policy</para>
|
||
|
|
||
|
<programlisting>#SOURCE DEST POLICY
|
||
|
loc loc1 NONE
|
||
|
loc1 loc NONE</programlisting>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Parallel Zones</title>
|
||
|
|
||
|
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||
|
two disjoint zones.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone1B.png" />
|
||
|
|
||
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||
|
loc1 Local1 Hosts accessed Directly from Firewall
|
||
|
loc2 Local2 Hosts accessed via the internal Router</programlisting>
|
||
|
|
||
|
<note>
|
||
|
<para>Here it doesn't matter which zone is defined first.</para>
|
||
|
</note>
|
||
|
|
||
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||
|
- eth1 192.168.1.255</programlisting>
|
||
|
|
||
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE HOSTS
|
||
|
loc1 eth1:192.168.1.0/24
|
||
|
loc2 eth1:192.168.2.0/24</programlisting>
|
||
|
|
||
|
<para>You don't need Shorewall to set up infrastructure to route
|
||
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
||
|
these two policies:</para>
|
||
|
|
||
|
<programlisting>#SOURCE DEST POLICY
|
||
|
loc1 loc2 NONE
|
||
|
loc2 loc1 NONE</programlisting>
|
||
|
</section>
|
||
|
</section>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Some Hosts have Special Firewalling Requirements</title>
|
||
|
|
||
|
<para>There are cases where a subset of the addresses associated with an
|
||
|
interface need special handling. Here's an example.</para>
|
||
|
|
||
|
<graphic fileref="images/MultiZone2.png" />
|
||
|
|
||
|
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||
|
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||
|
loc1 Local1 192.168.1.8-192.168.1.15
|
||
|
loc Local All hosts accessed via eth1</programlisting>
|
||
|
|
||
|
<note>
|
||
|
<para>the sub-zone (loc1) is defined first!</para>
|
||
|
</note>
|
||
|
|
||
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||
|
loc eth1 192.168.1.255</programlisting>
|
||
|
|
||
|
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
||
|
loc1 eth1:192.168.1.8/29</programlisting></para>
|
||
|
|
||
|
<para>You probably don't want Shorewall to set up infrastructure to
|
||
|
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
|
||
|
should add these two policies.</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/policy</filename></para>
|
||
|
|
||
|
<programlisting>#SOURCE DEST POLICY
|
||
|
loc loc1 NONE
|
||
|
loc1 loc NONE</programlisting>
|
||
|
</section>
|
||
|
|
||
|
<section id="OneArmed">
|
||
|
<title>One-armed Router</title>
|
||
|
|
||
|
<para>Nested zones may also be used to configure a <quote>one-armed</quote>
|
||
|
router (I don't call it a <quote>firewall</quote> because it is very
|
||
|
insecure. For example, if you connect to the internet via cable modem,
|
||
|
your next door neighbor has full access to your local systems as does
|
||
|
everyone else connected to the same cable modem head-end controller). Here
|
||
|
eth0 is configured with both a public IP address and an RFC 1918 address
|
||
|
(More on that topic may be found <ulink
|
||
|
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
|
||
|
<quote>loc</quote> zone are configured with their default gateway set to
|
||
|
the Shorewall router's RFC1918 address.</para>
|
||
|
|
||
|
<para><graphic fileref="images/MultiZone3.png" /></para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||
|
loc Local Local Zone
|
||
|
net Internet The big bad Internet</programlisting>
|
||
|
|
||
|
<note>
|
||
|
<para>the sub-zone (loc) is defined first!</para>
|
||
|
</note>
|
||
|
|
||
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||
|
net eth0 detect</programlisting>
|
||
|
|
||
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||
|
|
||
|
<programlisting>#ZONE HOSTS OPTIONS
|
||
|
loc eth0:192.168.1.0/24 maclist</programlisting>
|
||
|
|
||
|
<para><filename><filename>/etc/shorewall/masq</filename></filename></para>
|
||
|
|
||
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||
|
eth0:!192.168.1.0/24 192.168.1.0/24</programlisting>
|
||
|
|
||
|
<para>Note that the maclist option is specified in <filename>/etc/shorewall/interfaces</filename>.
|
||
|
This is to help protect your router from unauthorized access by your
|
||
|
friends and neighbors. Start without maclist then add it and configure
|
||
|
your <ulink url="MAC_Validation.html"><filename>/etc/shorewall/maclist</filename></ulink>
|
||
|
file when everything else is working.</para>
|
||
|
</section>
|
||
|
</article>
|