holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Minor code cleanups.

Browse Source 
Adding <?dbtimestamp format="Y/m/d"?> to pubdate(s) to reflect date
which document itself was built.


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1038 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
pauls 2003-12-30 19:14:14 +00:00
parent e4b9496129
commit 5b01e057df
1 changed files with 227 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

491
Shorewall-docs/whitelisting_under_shorewall.xml
View File

@ -1,423 +1,384 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <!-- $Id$ -->
<article id="whitelisting_under_shorewall"> <article id="whitelisting_under_shorewall">
<!-- $Id$ -->
<articleinfo> <articleinfo>
<title>Whitelisting Under Shorewall</title> <title>Whitelisting Under Shorewall</title>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<pubdate>2003-12-22</pubdate>
<copyright> <copyright>
<year>2002</year>
<year>2003</year> <year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
<legalnotice> <legalnotice>
<para>Permission is granted to copy, distribute and/or modify this <para>
document under the terms of the GNU Free Documentation License, Version Permission is granted to copy, distribute and/or modify this
1.2 or any later version published by the Free Software Foundation; with document under the terms of the GNU Free Documentation License, Version
no Invariant Sections, with no Front-Cover, and with no Back-Cover 1.2 or any later version published by the Free Software Foundation; with
Texts. A copy of the license is included in the section entitled no Invariant Sections, with no Front-Cover, and with no Back-Cover
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> Texts. A copy of the license is included in the section entitled <quote><ulink url="copyright.htm" type="">GNU Free Documentation License</ulink></quote>.
</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>
<para>For a brief time, the 1.2 version of Shorewall supported an For a brief time, the 1.2 version of Shorewall supported an <literal>/etc/shorewall/whitelist</literal> file. This file was intended to contain a
<literal>/etc/shorewall/whitelist</literal> file. This file was intended to list of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was implemented as a stop-gap measure until the
contain a list of IP addresses of hosts whose POLICY to all zones was facilities necessary for implementing white lists using zones was in place. As of Version <literal>1.3 RC1</literal>, those facilities were available.
ACCEPT. The whitelist file was implemented as a stop-gap measure until the </para>
facilities necessary for implementing white lists using zones was in place. <para>
As of Version <literal>1.3 RC1</literal>, those facilities were available.</para> White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:
</para>
<para>White lists are most often used to give special privileges to a set of
hosts within an organization. Let us suppose that we have the following
environment:</para>
<itemizedlist mark="bullet" spacing="compact"> <itemizedlist mark="bullet" spacing="compact">
<listitem> <listitem>
<para>A firewall with three interfaces -- one to the Internet, one to a <para>
local network and one to a <acronym>DMZ</acronym>.</para> A firewall with three interfaces -- one to the Internet, one to a local network and one to a <acronym>DMZ</acronym>.
</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The local network uses <acronym>SNAT</acronym> to the internet and <para>
is comprised of the Class B network <literal>10.10.0.0/16</literal> The local network uses <acronym>SNAT</acronym> to the internet and is comprised of the Class B network <literal>10.10.0.0/16</literal> (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on <acronym>SNAT</acronym>. It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static NAT, etc.).
(Note: While this example uses an RFC 1918 local network, the technique </para>
described here in no way depends on that or on <acronym>SNAT</acronym>.
It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static
NAT, etc.).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The network operations staff have workstations with IP addresses <para>
in the Class C network <literal>10.10.10.0/24</literal>.</para> The network operations staff have workstations with IP addresses in the Class C network <literal>10.10.10.0/24</literal>.
</para>
</listitem> </listitem>
<listitem> <listitem>
<para>We want the network operations staff to have full access to all <para>
other hosts.</para> We want the network operations staff to have full access to all other hosts.
</para>
</listitem> </listitem>
<listitem> <listitem>
<para>We want the network operations staff to bypass the transparent <para>
<acronym>HTTP</acronym> proxy running on our firewall.</para> We want the network operations staff to bypass the transparent <acronym>HTTP</acronym> proxy running on our firewall.
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>
<para>The basic approach will be that we will place the operations The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files:
staff&#39;s class C in its own zone called ops. Here are the appropriate </para>
configuration files:</para> <!-- Zone File -->
<!-- Zone File -->
<bridgehead renderas="sect4">Zone File</bridgehead> <bridgehead renderas="sect4">Zone File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="3"> <tgroup cols="3" align="left">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">DISPLAY</entry> <entry align="left">DISPLAY</entry>
<entry align="left">COMMENTS</entry> <entry align="left">COMMENTS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>net</literal></entry> <entry align="left">
<literal>net</literal>
</entry>
<entry align="left">Net</entry> <entry align="left">Net</entry>
<entry align="left">Internet</entry> <entry align="left">Internet</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>ops</literal></entry> <entry align="left">
<literal>ops</literal>
</entry>
<entry align="left">Operations</entry> <entry align="left">Operations</entry>
<entry align="left">Operations Staff's Class C</entry>
<entry align="left">Operations Staff&#39;s Class C</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>loc</literal></entry> <entry align="left">
<literal>loc</literal>
</entry>
<entry align="left">Local</entry> <entry align="left">Local</entry>
<entry align="left">Local Class B</entry> <entry align="left">Local Class B</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>dmz</literal></entry> <entry align="left">
<literal>dmz</literal>
</entry>
<entry align="left">DMZ</entry> <entry align="left">DMZ</entry>
<entry align="left">Demilitarized zone</entry> <entry align="left">Demilitarized zone</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
<para>The <literal>ops</literal> zone has been added to the standard 3-zone The <literal>ops</literal> zone has been added to the standard 3-zone zones
zones file -- since <literal>ops</literal> is a sub-zone of file -- since <literal>ops</literal> is a sub-zone of <literal>loc</literal>, we list it <emphasis>BEFORE</emphasis>
<literal>loc</literal>, we list it <emphasis>BEFORE</emphasis> <literal>loc</literal>.
<literal>loc</literal>.</para> </para>
<!-- Interfaces File -->
<!-- Interfaces File -->
<bridgehead renderas="sect4">Interfaces File</bridgehead> <bridgehead renderas="sect4">Interfaces File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="4"> <tgroup cols="4" align="left">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">INTERFACE</entry> <entry align="left">INTERFACE</entry>
<entry align="left">BROADCAST</entry> <entry align="left">BROADCAST</entry>
<entry align="left">OPTIONS</entry> <entry align="left">OPTIONS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>net</literal></entry> <entry align="left">
<literal>net</literal>
<entry align="left"><literal>eth0</literal></entry> </entry>
<entry align="left">
<entry align="left">&#60;whatever&#62;</entry> <literal>eth0</literal>
</entry>
<entry align="left">&#60;options&#62;</entry> <entry align="left">&lt;whatever&gt;</entry>
<entry align="left">&lt;options&gt;</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>dmz</literal></entry> <entry align="left">
<literal>dmz</literal>
<entry align="left"><literal>eth1</literal></entry> </entry>
<entry align="left">
<entry align="left">&#60;whatever&#62;</entry> <literal>eth1</literal>
</entry>
<entry align="left"></entry> <entry align="left">&lt;whatever&gt;</entry>
<entry align="left"/>
</row> </row>
<row> <row>
<entry align="left"><literal>-</literal></entry> <entry align="left">
<literal>-</literal>
<entry align="left"><literal>eth2</literal></entry> </entry>
<entry align="left">
<entry align="left"><literal>10.10.255.255</literal></entry> <literal>eth2</literal>
</entry>
<entry align="left"></entry> <entry align="left">
<literal>10.10.255.255</literal>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
<para>Because <literal>eth2</literal> interfaces to two zones (<literal>ops</literal> Because <literal>eth2</literal> interfaces to two zones (<literal>ops</literal> and <literal>loc</literal>), we don't specify a zone for it here.
and <literal>loc</literal>), we don&#39;t specify a zone for it here.</para> </para>
<!-- Hosts File -->
<!-- Hosts File -->
<bridgehead renderas="sect4">Hosts File</bridgehead> <bridgehead renderas="sect4">Hosts File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="3"> <tgroup cols="3" align="left">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">HOST(S)</entry> <entry align="left">HOST(S)</entry>
<entry align="left">OPTIONS</entry> <entry align="left">OPTIONS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>ops</literal></entry> <entry align="left">
<literal>ops</literal>
<entry align="left"><literal>eth2:10.10.10.0/24</literal></entry> </entry>
<entry align="left">
<entry align="left"></entry> <literal>eth2:10.10.10.0/24</literal>
</entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>loc</literal></entry> <entry align="left">
<literal>loc</literal>
<entry align="left"><literal>eth2:0.0.0.0/0</literal></entry> </entry>
<entry align="left">
<entry align="left"></entry> <literal>eth2:0.0.0.0/0</literal>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
<para>Here we define the <literal>ops</literal> and <literal>loc</literal> Here we define the <literal>ops</literal> and <literal>loc</literal> zones. When Shorewall is stopped, only the hosts in the <literal>ops</literal> zone will be allowed to access the firewall and the <acronym>DMZ</acronym>. I use <literal>0.0.0.0/0</literal> to define the <literal>loc</literal> zone rather than <literal>10.10.0.0/16</literal> so that the limited broadcast address (<literal>255.255.255.255</literal>) falls into that zone. If I used <literal>10.10.0.0/16</literal> then I would have to have a separate entry for that special address.
zones. When Shorewall is stopped, only the hosts in the <literal>ops</literal> </para>
zone will be allowed to access the firewall and the <acronym>DMZ</acronym>. <!-- Policy File -->
I use <literal>0.0.0.0/0</literal> to define the <literal>loc</literal> zone
rather than <literal>10.10.0.0/16</literal> so that the limited broadcast
address (<literal>255.255.255.255</literal>) falls into that zone. If I used
<literal>10.10.0.0/16</literal> then I would have to have a separate entry
for that special address.</para>
<!-- Policy File -->
<bridgehead renderas="sect4">Policy File</bridgehead> <bridgehead renderas="sect4">Policy File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="5"> <tgroup align="left" cols="5">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">SOURCE</entry> <entry align="left">SOURCE</entry>
<entry align="left">DEST</entry> <entry align="left">DEST</entry>
<entry align="left">POLICY</entry> <entry align="left">POLICY</entry>
<entry align="left">LOG LEVEL</entry> <entry align="left">LOG LEVEL</entry>
<entry align="left">LIMIT BURST</entry> <entry align="left">LIMIT BURST</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"><!-- To color the cell grey, uncomment the following 2 lines <entry align="left">
<!-- To color the cell grey, uncomment the following 2 lines
<?dbhtml bgcolor="#EEEEEE" ?> <?dbhtml bgcolor="#EEEEEE" ?>
<?dbfo bgcolor="#EEEEEE" ?> <?dbfo bgcolor="#EEEEEE" ?>
--> <emphasis role="bold"> <literal>ops</literal> </emphasis></entry> -->
<emphasis role="bold">
<entry align="left"><emphasis role="bold"> <literal>all</literal> <literal>ops</literal>
</emphasis></entry> </emphasis>
</entry>
<entry align="left"><emphasis role="bold"> <literal>ACCEPT</literal> <entry align="left">
</emphasis></entry> <emphasis role="bold">
<literal>all</literal>
<entry align="left"></entry> </emphasis>
</entry>
<entry align="left"></entry> <entry align="left">
<emphasis role="bold">
<literal>ACCEPT</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><emphasis role="bold"> <literal>all</literal> <entry align="left">
</emphasis></entry> <emphasis role="bold">
<literal>all</literal>
<entry align="left"><emphasis role="bold"> <literal>ops</literal> </emphasis>
</emphasis></entry> </entry>
<entry align="left">
<entry align="left"><emphasis role="bold"> <literal>CONTINUE</literal> <emphasis role="bold">
</emphasis></entry> <literal>ops</literal>
</emphasis>
<entry align="left"></entry> </entry>
<entry align="left">
<entry align="left"></entry> <emphasis role="bold">
<literal>CONTINUE</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>loc</literal></entry> <entry align="left">
<literal>loc</literal>
<entry align="left"><literal>net</literal></entry> </entry>
<entry align="left">
<entry align="left"><literal>ACCEPT</literal></entry> <literal>net</literal>
</entry>
<entry align="left"></entry> <entry align="left">
<literal>ACCEPT</literal>
<entry align="left"></entry> </entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>net</literal></entry> <entry align="left">
<literal>net</literal>
<entry align="left"><literal>all</literal></entry> </entry>
<entry align="left">
<entry align="left"><literal>DROP</literal></entry> <literal>all</literal>
</entry>
<entry align="left"><literal>info</literal></entry> <entry align="left">
<literal>DROP</literal>
<entry align="left"></entry> </entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>all</literal></entry> <entry align="left">
<literal>all</literal>
<entry align="left"><literal>all</literal></entry> </entry>
<entry align="left">
<entry align="left"><literal>REJECT</literal></entry> <literal>all</literal>
</entry>
<entry align="left"><literal>info</literal></entry> <entry align="left">
<literal>REJECT</literal>
<entry align="left"></entry> </entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
<para>Two entries for <literal>ops</literal> (in bold) have been added to Two entries for <literal>ops</literal> (in bold) have been added to the standard 3-zone policy file.
the standard 3-zone policy file.</para> </para>
<!-- Rules File -->
<!-- Rules File -->
<bridgehead renderas="sect4">Rules File</bridgehead> <bridgehead renderas="sect4">Rules File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="7"> <tgroup align="left" cols="7">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ACTION</entry> <entry align="left">ACTION</entry>
<entry align="left">SOURCE</entry> <entry align="left">SOURCE</entry>
<entry align="left">DEST</entry> <entry align="left">DEST</entry>
<entry align="left">PROTO</entry> <entry align="left">PROTO</entry>
<entry align="left">DEST PORT(S)</entry> <entry align="left">DEST PORT(S)</entry>
<entry align="left">SOURCE PORT(S)</entry> <entry align="left">SOURCE PORT(S)</entry>
<entry align="left">ORIGINAL DEST</entry> <entry align="left">ORIGINAL DEST</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>REDIRECT</literal></entry> <entry align="left">
<literal>REDIRECT</literal>
<entry align="left"><literal>loc!ops</literal></entry> </entry>
<entry align="left">
<entry align="left"><literal>3128</literal></entry> <literal>loc!ops</literal>
</entry>
<entry align="left"><literal>tcp</literal></entry> <entry align="left">
<literal>3128</literal>
<entry align="left"><literal>http</literal></entry> </entry>
<entry align="left">
<entry align="left"></entry> <literal>tcp</literal>
</entry>
<entry align="left"></entry> <entry align="left">
<literal>http</literal>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>...</literal></entry> <entry align="left">
<literal>...</literal>
<entry align="left"></entry> </entry>
<entry align="left"/>
<entry align="left"></entry> <entry align="left"/>
<entry align="left"/>
<entry align="left"></entry> <entry align="left"/>
<entry align="left"/>
<entry align="left"></entry> <entry align="left"/>
<entry align="left"></entry>
<entry align="left"></entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
<para>This is the rule that transparently redirects web traffic to the This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The <emphasis role="bold">SOURCE</emphasis> column explicitly excludes the <literal>ops</literal> zone from the rule.
transparent proxy running on the firewall. The <emphasis role="bold">SOURCE</emphasis> </para>
column explicitly excludes the <literal>ops</literal> zone from the rule.</para> <!-- Routestopped File -->
<!-- Routestopped File -->
<bridgehead renderas="sect4">Routestopped File</bridgehead> <bridgehead renderas="sect4">Routestopped File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="2"> <tgroup align="left" cols="2">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">INTERFACE</entry> <entry align="left">INTERFACE</entry>
<entry align="left">HOST(S))</entry> <entry align="left">HOST(S))</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>eth1</literal></entry> <entry align="left">
<literal>eth1</literal>
<entry align="left"></entry> </entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"><literal>eth2</literal></entry> <entry align="left">
<literal>eth2</literal>
<entry align="left"><literal>10.10.10.0/24</literal></entry> </entry>
<entry align="left">
<literal>10.10.10.0/24</literal>
</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>