Firewall Structure (Under Construction) |
Shorewall views the network in which it is running as a set of zones. Shorewall itself defines exactly one zone called "fw" which refers to the firewall system itself . The /etc/shorewall/zones file is used to define additional zones and the example file provided with Shorewall defines the zones:
Note: You can specify the name of the firewall zone. For ease of description in this documentation, it is assumed that the firewall zone is named "fw".
It can't be stressed enough that with the exception of the firewall zone, Shorewall itself attaches no meaning to zone names. Zone names are simply labels used to refer to a collection of network hosts.
While zones are normally disjoint (no two zones have a host in common), there are cases where nested or overlapping zone definitions are appropriate.
Netfilter has the concept of tables and chains. For the purpose of this document, we will consider Netfilter to have three tables:
Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT,
FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables
as shown in this table.
CHAIN |
Filter |
Nat |
Mangle |
PREROUTING |
X |
X |
|
INPUT |
X |
X |
|
OUTPUT |
X |
X |
X |
FORWARD |
X |
X |
|
POSTROUTING |
X |
X |
Shorewall doesn't create rules in all of the builtin chains. In the large
diagram below are boxes such as shown below. This box represents in INPUT
chain and shows that packets first flow through the INPUT chain in the Mangle
table followed by the INPUT chain in the Filter table. The parentheses around
"Mangle" indicate that while the packets will flow through the INPUT chain
in the Mangle table, Shorewall does not create any rules in that chain.
Here is a picture of how packets traverse the various chains and tables in Netfilter. In that diagram, "Local Process" refers to a process running on the Firewall itself (in the 'fw' zone).
In the text that follows, the paragraph numbers correspond to the box
number in the diagram above.
Traffic directed from a zone to the firewall itself is sent through a chain named <zone name>2fw. For example, traffic inbound from the internet and addressed to the firewall is sent through a chain named net2fw. Similarly, traffic originating in the firewall and being sent to a host in a given zone is sent through a chain named fw2<zone name>. For example, traffic originating in the firewall and destined for a host in the local network is sent through a chain named fw2loc.
Traffic being forwarded between two zones (or from one interface to a zone to another interface to that zone) is sent through a chain named <source zone>2 <destination zone>. So for example, traffic originating in a local system and destined for a remote web server is sent through chain loc2net. This chain is referred to as the canonical chain from <source zone> to <destination zone>. Any destination NAT will have occurred before the packet traverses one of these chains so rules in /etc/shorewall/rules should be expressed in terms of the destination system's real IP address as opposed to its apparent external address. Similarly, source NAT will occur after the packet has traversed the appropriate forwarding chain so the rules again will be expressed using the source system's real IP address.
For each record in the /etc/shorewall/policy file, a chain is created. Policies in that file are expressed in terms of a source zone and destination zone where these zones may be a zone defined in /etc/shorewall/zones, "fw" or "all". Policies specifying the pseudo-zone "all" matches all defined zones and "fw". These chains are referred to as Policy Chains. Notice that for an ordered pair of zones (za,zb), the canonical chain (za2zb) may also be the policy chain for the pair or the policy chain may be a different chain (za2all, for example). Packets from one zone to another will traverse chains as follows:
The canonical chain from zone za to zone zb will be created only if there are exception rules defined in /etc/shorewall/rules for packets going from za to zb.
Shorewall is built on top of the Netfilter kernel facility. Netfilter implements connection tracking function that allow what is often referred to as "statefull inspection" of packets. This statefull property allows firewall rules to be defined in terms of "connections" rather than in terms of "packets". With Shorewall, you:
Just because connections of a particular type are allowed between zone A and the firewall and are also allowed between the firewall and zone B DOES NOT mean that these connections are allowed between zone A and zone B. It rather means that you can have a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.
If you adopt the default policy of ACCEPT from the local zone to the internet zone and you are having problems connecting from a local client to an internet server, adding a rule won't help (see point 3 above).
Last modified 5/22/2003 - Tom Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.