shorewall_code/manpages6/shorewall6-nesting.xml
2009-11-28 07:19:10 -08:00

170 lines
6.1 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-nesting</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>nesting</refname>
<refpurpose>shorewall6 Nested Zones</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<arg choice="plain"
rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
above syntax.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
that are within multiple zones to be managed under the rules of all of
these zones.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTION
fw firewall
net ipv6
sam:net ipv6
loc ipv6</programlisting>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect blacklist
loc eth1 detect</programlisting>
<para><filename>/etc/shorewall6/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
net eth0:[::\]
sam eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
<para><filename>/etc/shorewall6/policy</filename>:</para>
<programlisting> #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
sam all CONTINUE
net all DROP info
all all REJECT info</programlisting>
<para>The second entry above says that when Sam is the client, connection
requests should first be processed under rules where the source zone is
sam and if there is no match then the connection request should be treated
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
ACCEPT net loc:2001:19f0:feee::5 tcp www
...</programlisting>
<para>Given these two rules, Sam can connect with ssh to
2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
port 80 on 2001:19f0:feee::5. The order of the rules is not
significant.</para>
</refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall6/interfaces</filename> or in
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv6
loc ipv6 virtual
loc1:loc ipv6
loc2:loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
- eth1 detect tcpflags</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:2001:19f0:feee:1::/48
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>They must have type <option>ipv6</option>.</para>
</listitem>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/zones</para>
<para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall6/policy</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>