Content moved to whitelisting_under_shorewall.xml

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@901 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-12-22 19:03:04 +00:00 · 2003-12-22 19:03:04 +00:00 · 52a1d539cb
commit 52a1d539cb
parent 228e25fba0
1 changed files with 0 additions and 267 deletions
--- a/Shorewall-docs/whitelisting_under_shorewall.htm
+++ b/Shorewall-docs/whitelisting_under_shorewall.htm
@ -1,267 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-  <meta http-equiv="Content-Language" content="en-us">
-  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-  <meta name="ProgId" content="FrontPage.Editor.Document">
-  <meta http-equiv="Content-Type"
- content="text/html; charset=windows-1252">
-  <title>Whitelisting under Shorewall</title>
-</head>
-<body>
-<h1 style="text-align: center;">Whitelisting under Shorewall<br>
-</h1>
-<p align="left">For a brief time, the 1.2 version of Shorewall
-supported
-an /etc/shorewall/whitelist file. This file was intended to contain a
-list
-of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
-whitelist file was implemented as a stop-gap measure until the
-facilities necessary for implementing white lists using zones was in
-place. As of Version 1.3 RC1, those facilities were available.</p>
-<p align="left">White lists are most often used to give special
-privileges to a set&nbsp; of hosts within an organization. Let us
-suppose that we have the following environment:</p>
-<ul>
-  <li>A firewall with three interfaces -- one to the internet, one to a
-local network and one to a DMZ.</li>
-  <li>The local network uses SNAT to the internet and is comprised of
-the class B network 10.10.0.0/16 (Note: While this example uses an RFC
-1918 local network, the technique described here in no way depends on
-that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
-NAT, etc.).</li>
-  <li>The network operations staff have workstations with IP addresses
-in the class C network 10.10.10.0/24</li>
-  <li>We want the network operations staff to have full access to all
-other hosts.</li>
-  <li>We want the network operations staff to bypass the transparent
-HTTP proxy running on our firewall.</li>
-</ul>
-<p align="left">The basic approach will be that we will place the
-operations staff's class C in its own zone called <b>ops</b>. Here are
-the appropriate configuration files:</p>
-<h2 align="left">Zone File</h2>
-<blockquote>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b> ZONE</b></td>
-        <td><b> DISPLAY</b></td>
-        <td><b> COMMENTS</b></td>
-      </tr>
-      <tr>
-        <td>net</td>
-        <td>Net</td>
-        <td>Internet</td>
-      </tr>
-      <tr>
-        <td>ops</td>
-        <td>Operations</td>
-        <td>Operations Staff's Class C</td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>Local</td>
-        <td>Local Class B</td>
-      </tr>
-      <tr>
-        <td>dmz</td>
-        <td>DMZ</td>
-        <td>Demilitarized zone</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p>The <b>ops </b>zone has been added to the standard 3-zone zones
-file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
-<b>loc</b>.</p>
-<h2>Interfaces File</h2>
-<blockquote>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b> ZONE</b></td>
-        <td><b> INTERFACE</b></td>
-        <td><b> BROADCAST</b></td>
-        <td><b> OPTIONS</b></td>
-      </tr>
-      <tr>
-        <td>net</td>
-        <td>eth0</td>
-        <td>&lt;whatever&gt;</td>
-        <td>&lt;options&gt;</td>
-      </tr>
-      <tr>
-        <td>dmz</td>
-        <td>eth1</td>
-        <td>&lt;whatever&gt;</td>
-        <td><br>
-        </td>
-      </tr>
-      <tr>
-        <td>-</td>
-        <td>eth2</td>
-        <td>10.10.255.255</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
-we don't specify a zone for it here.</p>
-<h2>Hosts File</h2>
-<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b> ZONE</b></td>
-        <td><b> HOST(S)</b></td>
-        <td><b> OPTIONS</b></td>
-      </tr>
-      <tr>
-        <td>ops</td>
-        <td>eth2:10.10.10.0/24</td>
-        <td><br>
-        </td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>eth2:0.0.0.0/0</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
-is stopped,
-only the hosts in the <b>ops</b> zone will be allowed to access the
-firewall
-and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
-10.10.0.0/16
-so that the limited broadcast address (255.255.255.255) falls into that
-zone. If I used 10.10.0.0/16 then I would have to have a separate entry
-for that special address.</p>
-<h2>Policy File</h2>
-<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b>SOURCE</b></td>
-        <td><b>DEST</b></td>
-        <td><b> POLICY</b></td>
-        <td><b> LOG LEVEL</b></td>
-        <td><b>LIMIT:BURST</b></td>
-      </tr>
-      <tr>
-        <td><font color="#0000ff">ops</font></td>
-        <td><font color="#0000ff">all</font></td>
-        <td><font color="#0000ff">ACCEPT</font></td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td><font color="#0000ff">all</font></td>
-        <td><font color="#0000ff">ops</font></td>
-        <td><font color="#0000ff">CONTINUE</font></td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>loc</td>
-        <td>net</td>
-        <td>ACCEPT</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>net</td>
-        <td>all</td>
-        <td>DROP</td>
-        <td>info</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>all</td>
-        <td>all</td>
-        <td>REJECT</td>
-        <td>info</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p>Two entries for <b>ops</b> have been added to the standard 3-zone
-policy file.<font color="#ff0000"><b></b></font></p>
-<h2>Rules File</h2>
-<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b>ACTION</b></td>
-        <td><b>SOURCE</b></td>
-        <td><b>DEST</b></td>
-        <td><b> PROTO</b></td>
-        <td><b>DEST<br>
-PORT(S)</b></td>
-        <td><b>SOURCE<br>
-PORT(S)</b></td>
-        <td><b>ORIGINAL<br>
-DEST</b></td>
-      </tr>
-      <tr>
-        <td>REDIRECT</td>
-        <td>loc!ops</td>
-        <td>3128</td>
-        <td>tcp</td>
-        <td>http</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-      <tr>
-        <td>...</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-        <td>&nbsp;</td>
-      </tr>
-    </tbody>
-  </table>
-</blockquote>
-<p>This is the rule that transparently redirects web traffic to the
-transparent proxy running on the firewall. The SOURCE column explicitly
-excludes the <b>ops</b> zone from the rule.</p>
-<h2>Routestopped File</h2>
-<blockquote>
-  <table border="2">
-    <tbody>
-      <tr>
-        <td><b>INTERFACE</b><br>
-        </td>
-        <td><b> HOST(S)</b></td>
-      </tr>
-      <tr>
-        <td valign="top">eth1<br>
-        </td>
-        <td valign="top"><br>
-        </td>
-      </tr>
-      <tr>
-        <td>eth2<br>
-        </td>
-        <td>10.10.10.0/24</td>
-      </tr>
-    </tbody>
-  </table>
-  <br>
-</blockquote>
-<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
-</font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
-<br>
-<br>
-<br>
-</body>
-</html>