2007-01-18 20:05:17 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2009-01-28 02:43:55 +01:00
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2007-01-18 20:05:17 +01:00
|
|
|
<refentry>
|
|
|
|
|
<refmeta>
|
|
|
|
|
<refentrytitle>shorewall-nesting</refentrytitle>
|
|
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
2008-07-10 19:22:09 +02:00
|
|
|
<refname>nesting</refname>
|
2007-01-18 20:05:17 +01:00
|
|
|
|
|
|
|
|
<refpurpose>Shorewall Nested Zones</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<cmdsynopsis>
|
|
|
|
|
<arg choice="plain"
|
|
|
|
|
rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
|
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
|
|
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
|
|
|
|
|
zone may be declared to be a sub-zone of one or more other zones using the
|
2007-01-28 19:28:13 +01:00
|
|
|
above syntax.</para>
|
2007-01-18 20:05:17 +01:00
|
|
|
|
|
|
|
|
<para>Where zones are nested, the CONTINUE policy in <ulink
|
|
|
|
|
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
|
|
|
|
are within multiple zones to be managed under the rules of all of these
|
|
|
|
|
zones.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Example</title>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE TYPE OPTION
|
|
|
|
|
fw firewall
|
|
|
|
|
net ipv4
|
|
|
|
|
sam:net ipv4
|
|
|
|
|
loc ipv4</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
- eth0 detect dhcp,norfc1918
|
|
|
|
|
loc eth1 detect</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE HOST(S) OPTIONS
|
|
|
|
|
net eth0:0.0.0.0/0
|
|
|
|
|
sam eth0:206.191.149.197</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #SOURCE DEST POLICY LOG LEVEL
|
|
|
|
|
loc net ACCEPT
|
|
|
|
|
sam all CONTINUE
|
|
|
|
|
net all DROP info
|
|
|
|
|
all all REJECT info</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>The second entry above says that when Sam is the client, connection
|
|
|
|
|
requests should first be processed under rules where the source zone is
|
|
|
|
|
sam and if there is no match then the connection request should be treated
|
|
|
|
|
under rules where the source zone is net. It is important that this policy
|
2007-01-28 19:28:13 +01:00
|
|
|
be listed BEFORE the next policy (net to all). You can have this policy
|
|
|
|
|
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
|
|
|
|
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
2007-01-18 20:05:17 +01:00
|
|
|
|
|
|
|
|
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
|
|
|
...
|
|
|
|
|
DNAT sam loc:192.168.1.3 tcp ssh
|
|
|
|
|
DNAT net loc:192.168.1.5 tcp www
|
|
|
|
|
...</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>Given these two rules, Sam can connect to the firewall's internet
|
|
|
|
|
interface with ssh and the connection request will be forwarded to
|
|
|
|
|
192.168.1.3. Like all hosts in the net zone, Sam can connect to the
|
|
|
|
|
firewall's internet interface on TCP port 80 and the connection request
|
|
|
|
|
will be forwarded to 192.168.1.5. The order of the rules is not
|
|
|
|
|
significant. Sometimes it is necessary to suppress port forwarding for a
|
|
|
|
|
sub-zone. For example, suppose that all hosts can SSH to the firewall and
|
|
|
|
|
be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
|
|
|
|
|
firewall's external IP, he should be connected to the firewall itself.
|
|
|
|
|
Because of the way that Netfilter is constructed, this requires two rules
|
|
|
|
|
as follows:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
|
|
|
...
|
|
|
|
|
ACCEPT+ sam $FW tcp ssh
|
|
|
|
|
DNAT net loc:192.168.1.3 tcp ssh
|
|
|
|
|
...</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>The first rule allows Sam SSH access to the firewall. The second
|
|
|
|
|
rule says that any clients from the net zone with the exception of those
|
|
|
|
|
in the “sam” zone should have their connection port forwarded to
|
|
|
|
|
192.168.1.3. If you need to exclude more than one zone, simply use
|
|
|
|
|
multiple ACCEPT+ rules. This technique also may be used when the ACTION is
|
|
|
|
|
REDIRECT.</para>
|
2008-01-12 00:14:59 +01:00
|
|
|
|
2008-01-14 17:34:26 +01:00
|
|
|
<para>Care must be taken when nesting occurs as a result of the use of
|
|
|
|
|
wildcard interfaces (interface names ends in '+').</para>
|
2008-01-12 00:14:59 +01:00
|
|
|
|
2008-01-13 19:47:06 +01:00
|
|
|
<para>Here's an example. <filename>/etc/shorewall/zones</filename>:</para>
|
2008-01-12 00:14:59 +01:00
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
net ppp0
|
|
|
|
|
loc eth1
|
|
|
|
|
loc ppp+
|
|
|
|
|
dmz eth2</programlisting></para>
|
|
|
|
|
|
|
|
|
|
<para>Because the net zone is declared before the loc zone, net is an
|
|
|
|
|
implicit sub-zone of loc and in the absence of a net->... CONTINUE
|
|
|
|
|
policy, traffic from the net zone will not be passed through loc->...
|
|
|
|
|
rules. But DNAT and REDIRECT rules are an exception!</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
|
|
|
|
|
table rule that rewrites the destination IP address and/or port
|
|
|
|
|
number, and a 'filter' table rule that ACCEPTs the rewritten
|
|
|
|
|
connection.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Policies only affect the 'filter' table.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
<para>As a consequence, the following rules will have unexpected
|
|
|
|
|
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
|
|
|
|
|
# PORT(S)
|
|
|
|
|
ACCEPT net dmz tcp 80
|
|
|
|
|
REDIRECT loc 3128 tcp 80</programlisting></para>
|
|
|
|
|
|
|
|
|
|
<para>The second rule is intended to redirect local web requests to a
|
|
|
|
|
proxy running on the firewall and listening on TCP port 3128. But the
|
|
|
|
|
'nat' part of that rule will cause all connection requests for TCP port 80
|
|
|
|
|
arriving on interface ppp+ (including ppp0!) to have their destination
|
|
|
|
|
port rewritten to 3128. Hence, the web server running in the DMZ will be
|
|
|
|
|
inaccessible from the web.</para>
|
|
|
|
|
|
2008-01-13 19:47:06 +01:00
|
|
|
<para>The above problem can be corrected in several ways.</para>
|
|
|
|
|
|
2008-01-14 17:34:26 +01:00
|
|
|
<para>The preferred way is to use the <option>ifname</option> pppd option
|
|
|
|
|
to change the 'net' interface to something other than ppp0. That way, it
|
|
|
|
|
won't match ppp+.</para>
|
|
|
|
|
|
2009-11-26 21:14:58 +01:00
|
|
|
<para>A second way is to simply make the nested zones
|
|
|
|
|
explicit:<programlisting> #ZONE TYPE OPTION
|
2008-01-13 19:47:06 +01:00
|
|
|
fw firewall
|
|
|
|
|
loc ipv4
|
|
|
|
|
net:loc ipv4
|
|
|
|
|
dmz ipv4</programlisting></para>
|
|
|
|
|
|
2009-11-26 21:14:58 +01:00
|
|
|
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in
|
2008-01-14 17:34:26 +01:00
|
|
|
<filename>shorewall.conf</filename>.</para>
|
|
|
|
|
|
|
|
|
|
<para>When using other Shorewall versions, another way is to rewrite the
|
2008-01-13 19:47:06 +01:00
|
|
|
DNAT rule (assume that the local zone is entirely within
|
2008-01-12 00:14:59 +01:00
|
|
|
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
|
|
|
|
|
# PORT(S)
|
|
|
|
|
ACCEPT net dmz tcp 80
|
|
|
|
|
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
|
|
|
|
|
2008-01-14 17:34:26 +01:00
|
|
|
<para>Another way is to restrict the definition of the loc zone:</para>
|
2008-01-12 00:14:59 +01:00
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
net ppp0
|
|
|
|
|
loc eth1
|
|
|
|
|
- ppp+
|
|
|
|
|
dmz eth2</programlisting></para>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:<programlisting> #ZONE HOST(S) OPTIONS
|
|
|
|
|
loc ppp+:192.168.2.0/23</programlisting></para>
|
2007-01-18 20:05:17 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
2009-11-26 21:14:58 +01:00
|
|
|
<refsect1 id="Virtual">
|
|
|
|
|
<title>Virtual Zones</title>
|
|
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
|
|
|
|
|
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
|
|
|
|
|
<filename>/etc/shorewall/interfaces</filename> or in
|
|
|
|
|
<filename>/etc/shorewall/hosts</filename>. Rather, it is used as a parent
|
|
|
|
|
zone for other zones in <filename>/etc/shorewall/zones</filename>.</para>
|
|
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE TYPE OPTIONS
|
|
|
|
|
fw firewall
|
|
|
|
|
net ipv4
|
2009-11-28 16:19:10 +01:00
|
|
|
loc ipv4 virtual
|
2009-11-26 21:14:58 +01:00
|
|
|
loc1:loc ipv4
|
|
|
|
|
loc2:loc ipv4</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
|
|
|
|
|
- eth1 detect tcpflags,nosmurfs,routefilter,logmartians</programlisting>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #ZONE HOST(S) OPTIONS
|
|
|
|
|
loc1 eth1:192.168.1.0/24
|
|
|
|
|
loc2 eth1:192.168.2.0/24</programlisting>
|
|
|
|
|
|
|
|
|
|
<para>There are several restrictions on virtual zones:</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
2009-11-28 16:19:10 +01:00
|
|
|
<listitem>
|
|
|
|
|
<para>They must have type <option>ipv4</option>.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
2009-11-26 21:14:58 +01:00
|
|
|
<listitem>
|
|
|
|
|
<para>A maximum of four virtual zones may be defined.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
|
|
|
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
<para>When a connection request to/from a sub-zone of a virtual zone does
|
|
|
|
|
not match the rules for the sub-zone, the connection is compared against
|
|
|
|
|
the rules (and policies) for the parent virtual zone.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2007-01-18 20:05:17 +01:00
|
|
|
<refsect1>
|
|
|
|
|
<title>FILES</title>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/zones</para>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/interfaces</para>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/hosts</para>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
|
|
|
|
|
|
|
|
<para>/etc/shorewall/rules</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
|
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
|
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
|
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
|
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
|
|
|
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
|
|
|
|
|
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
|
|
|
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
|
|
|
|
shorewall-zones(5)</para>
|
|
|
|
|
</refsect1>
|
2009-01-28 02:43:55 +01:00
|
|
|
</refentry>
|
