Whitelisting Under Shorewall Tom Eastep 2002-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment: A firewall with three interfaces -- one to the Internet, one to a local network and one to a DMZ. The local network uses SNAT to the internet and is comprised of the Class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.). The network operations staff have workstations with IP addresses in the Class C network 10.10.10.0/24. We want the network operations staff to have full access to all other hosts. We want the network operations staff to bypass the transparent HTTP proxy running on our firewall. The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files: Zone File #ZONE TYPE OPTIONS fw firewall net ipv4 ops ipv4 loc ipv4 dmz ipv4 The ops zone has been added to the standard 3-zone zones file -- since ops is a sub-zone of loc, we list it BEFORE loc. Interfaces File #ZONE INTERFACE BROACAST OPTIONS net eth0 <whatever> ... dmz eth1 <whatever> ... - eth2 10.10.255.255 Because eth2 interfaces to two zones (ops and loc), we don't specify a zone for it here. Hosts File #ZONE HOST(S) OPTIONS ops eth2:10.10.10.0/24 loc eth2:0.0.0.0/0 Here we define the ops and loc zones. When Shorewall is stopped, only the hosts in the ops zone will be allowed to access the firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for that special address. Policy File #SOURCE DEST POLICY LOG LEVEL ops all ACCEPT all ops CONTINUE loc net ACCEPT net all DROP info all all REJECT info Two entries for ops (in bold) have been added to the standard 3-zone policy file. Rules File #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST REDIRECT loc!ops 3128 tcp http This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The SOURCE column explicitly excludes the ops zone from the rule. Routestopped File #INTERFACE HOST(S) OPTIONS eth1 eth2 10.10.10.0/24