From 661e348bb81545108d3ed42b505138c5d0be14a8 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 18 Jan 2007 19:05:17 +0000 Subject: [PATCH] Add a manpage describing nested zones git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5263 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall-nesting.xml | 133 +++++++++++++++++++++++++++++++++ manpages/shorewall-policy.xml | 4 +- manpages/shorewall-zones.xml | 6 +- 3 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 manpages/shorewall-nesting.xml diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml new file mode 100644 index 000000000..009673755 --- /dev/null +++ b/manpages/shorewall-nesting.xml @@ -0,0 +1,133 @@ + + + + shorewall-nesting + + 5 + + + + Nesting + + Shorewall Nested Zones + + + + + child-zone[:parent-zone[,parent-zone]...] + + + + + Description + + In shorewall-zones(5), a + zone may be declared to be a sub-zone of one or more other zones using the + above syntax. + + Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that + are within multiple zones to be managed under the rules of all of these + zones. + + + + Example + + /etc/shorewall/zones: + + #ZONE TYPE OPTION + fw firewall + net ipv4 + sam:net ipv4 + loc ipv4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + - eth0 detect dhcp,norfc1918 + loc eth1 detect + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS + net eth0:0.0.0.0/0 + sam eth0:206.191.149.197 + + /etc/shorewall/policy: + + #SOURCE DEST POLICY LOG LEVEL + loc net ACCEPT + sam all CONTINUE + net all DROP info + all all REJECT info + + The second entry above says that when Sam is the client, connection + requests should first be processed under rules where the source zone is + sam and if there is no match then the connection request should be treated + under rules where the source zone is net. It is important that this policy + be listed BEFORE the next policy (net to all). + + Partial /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) + ... + DNAT sam loc:192.168.1.3 tcp ssh + DNAT net loc:192.168.1.5 tcp www + ... + + Given these two rules, Sam can connect to the firewall's internet + interface with ssh and the connection request will be forwarded to + 192.168.1.3. Like all hosts in the net zone, Sam can connect to the + firewall's internet interface on TCP port 80 and the connection request + will be forwarded to 192.168.1.5. The order of the rules is not + significant. Sometimes it is necessary to suppress port forwarding for a + sub-zone. For example, suppose that all hosts can SSH to the firewall and + be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the + firewall's external IP, he should be connected to the firewall itself. + Because of the way that Netfilter is constructed, this requires two rules + as follows: + + #ACTION SOURCE DEST PROTO DEST PORT(S) + ... + ACCEPT+ sam $FW tcp ssh + DNAT net loc:192.168.1.3 tcp ssh + ... + + The first rule allows Sam SSH access to the firewall. The second + rule says that any clients from the net zone with the exception of those + in the “sam” zone should have their connection port forwarded to + 192.168.1.3. If you need to exclude more than one zone, simply use + multiple ACCEPT+ rules. This technique also may be used when the ACTION is + REDIRECT. + + + + FILES + + /etc/shorewall/zones + + /etc/shorewall/interfaces + + /etc/shorewall/hosts + + /etc/shorewall/policy + + /etc/shorewall/rules + + + + See ALSO + + shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), + shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5) + + \ No newline at end of file diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml index 92854a6ce..f38bcc161 100644 --- a/manpages/shorewall-policy.xml +++ b/manpages/shorewall-policy.xml @@ -143,7 +143,9 @@ Pass the connection request past any other rules that it might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this - policy). + policy). See shorewall-nesting(5) for + additional information. diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml index 2136fd26b..f94a27fac 100644 --- a/manpages/shorewall-zones.xml +++ b/manpages/shorewall-zones.xml @@ -58,7 +58,9 @@ Where a zone is nested in one or more other zones, you may follow the (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier - records in this file. + records in this file. See shorewall-nesting(5) for + additional information. Example: @@ -70,7 +72,7 @@ c:a,b ipv4 Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall.conf can also create - implicit CONTINUE policies to/from the subzone. + implicit CONTINUE policies to/from the subzone. In the future, Shorewall may make additional use of nesting information.