mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 10:51:02 +01:00
DocBook XML conversion
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@878 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c9035e0234
commit
6deab84bc2
645
Shorewall-docs/Multiple_Zones.xml
Normal file
645
Shorewall-docs/Multiple_Zones.xml
Normal file
@ -0,0 +1,645 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Multiple_Zones">
|
||||
<articleinfo>
|
||||
<title>Multiple Zones per Interface</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled "<ulink
|
||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>While most configurations can be handled with each of the
|
||||
firewall's network interfaces assigned to a single zone, there are
|
||||
cases where you will want to divide the hosts accessed through an
|
||||
interface between two or more zones.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The interface has multiple addresses on multiple subnetworks.
|
||||
This case is covered in the <ulink
|
||||
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
||||
documentation</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You are using some form of NAT and want to access a server by
|
||||
its external IP address from the same LAN segment. This is covered in
|
||||
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>There are routers accessible through the interface and you want
|
||||
to treat the networks accessed through that router as a separate zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Some of the hosts accessed through an interface have
|
||||
significantly different firewalling requirements from the others so
|
||||
you want to assign them to a different zone.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The key points to keep in mind when setting up multiple zones per
|
||||
interface are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall generates rules for zones in the order that the zone
|
||||
declarations appear in /etc/shorewall/zones.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
||||
far as the generated ruleset is concerned.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">These examples use the local zone but the same
|
||||
technique works for any zone.</emphasis> Remember that Shorewall
|
||||
doesn't have any conceptual knowledge of "Internet",
|
||||
"Local", or "DMZ" so all zones except the firewall itself
|
||||
($FW) are the same as far as Shorewall is concerned. Also, the examples
|
||||
use private (RFC 1918) addresses but public IP addresses can be used in
|
||||
exactly the same way.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Router in the Local Zone</title>
|
||||
|
||||
<para>Here is an example of a router in the local zone.</para>
|
||||
|
||||
<note>
|
||||
<para> the <emphasis role="bold">box called "Router" could be a
|
||||
VPN server</emphasis> or other such device; from the point of view of
|
||||
this discussion, it makes no difference.</para>
|
||||
</note>
|
||||
|
||||
<graphic fileref="images/MultiZone1.png" />
|
||||
|
||||
<section>
|
||||
<title>Can You Use the Standard Configuration?</title>
|
||||
|
||||
<para>In many cases, the <ulink url="two-interface.htm">standard
|
||||
two-interface Shorewall setup</ulink> will work fine in this
|
||||
configuration. It will work if:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The firewall requirements to/from the internet are the same
|
||||
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The hosts in 192.168.1.0/24 know that the route to
|
||||
192.168.2.0/24 is through the <emphasis role="bold">router</emphasis>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>All you have to do on the firewall is add a route to
|
||||
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
||||
restart Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Will One Zone be Enough?</title>
|
||||
|
||||
<para>If the firewalling requirements for the two local networks is the
|
||||
same but the hosts in 192.168.1.0/24 don't know how to route to
|
||||
192.168.2.0/24 then you need to configure the firewall slightly
|
||||
differently. This type of configuration is rather stupid from an IP
|
||||
networking point of view but it is sometimes necessary because you
|
||||
simply don't want to have to reconfigure all of the hosts in
|
||||
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
||||
firewall:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
||||
role="bold">Router</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set the 'routeback' and 'newnotsyn' options
|
||||
for eth1 (the local firewall interface) in
|
||||
/etc/shorewall/interfaces.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Restart Shorewall.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>I Need Separate Zones</title>
|
||||
|
||||
<para>If you need to make 192.168.2.0/24 into it's own zone, you can
|
||||
do it one of two ways; Nested Zones or Parallel Zones.</para>
|
||||
|
||||
<section>
|
||||
<title>Nested Zones</title>
|
||||
|
||||
<para>You can define one zone (called it 'loc') as being all
|
||||
hosts connectied to eth1 and a second zone 'loc1'
|
||||
(192.168.2.0/24) as a sub-zone.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1A.png" />
|
||||
|
||||
<para>The advantage of this approach is that the zone 'loc1'
|
||||
can use CONTINUE policies such that if a connection request
|
||||
doesn't match a 'loc1' rule, it will be matched against
|
||||
the 'loc' rules. For example, if your loc1->net policy is
|
||||
CONTINUE then if a connection request from loc1 to the internet
|
||||
doesn't match any rules for loc1->net then it will be checked
|
||||
against the loc->net rules.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>Local2</entry>
|
||||
|
||||
<entry>Hosts access through internal router</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>Local</entry>
|
||||
|
||||
<entry>All hosts accessed via eth1</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
</note>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>eth1:192.168.2.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>If you don't need Shorewall to set up infrastructure to
|
||||
route traffic between 'loc' and 'loc1', add these two
|
||||
policies:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
|
||||
<entry align="center">RATE:BURST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Parallel Zones</title>
|
||||
|
||||
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||||
two disjoint zones.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1B.png" />
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>Local1</entry>
|
||||
|
||||
<entry>Hosts accessed Directly from Firewall</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc2</entry>
|
||||
|
||||
<entry>Local2</entry>
|
||||
|
||||
<entry>Hosts accessed via internal Router</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>Here it doesn't matter which zone is defined first.</para>
|
||||
</note>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>eth1:192.168.1.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc2</entry>
|
||||
|
||||
<entry>eth1:192.168.2.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>If you don't need Shorewall to set up infrastructure to
|
||||
route traffic between 'loc' and 'loc1', add these two
|
||||
policies:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
|
||||
<entry align="center">RATE:BURST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Some Hosts have Special Firewalling Requirements</title>
|
||||
|
||||
<para>There are cases where a subset of the addresses associated with an
|
||||
interface need special handling. Here's an example.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone2.png" />
|
||||
|
||||
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||||
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>Local2</entry>
|
||||
|
||||
<entry>192.168.1.8 - 192.168.1.15</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>Local</entry>
|
||||
|
||||
<entry>All hosts accessed via eth1</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
</note>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>eth1:192.168.2.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>You probably don't want Shorewall to set up infrastructure to
|
||||
route traffic between 'loc' and 'loc1' so you should add
|
||||
these two policies:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
|
||||
<entry align="center">RATE:BURST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc1</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>NONE</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</section>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user