<?xml version="1.0" encoding="UTF-8"?>
<refentry>
  <refmeta>
    <refentrytitle>shorewall-nesting</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>Nesting</refname>

    <refpurpose>Shorewall Nested Zones</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <arg choice="plain"
      rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
    zone may be declared to be a sub-zone of one or more other zones using the
    above syntax.</para>

    <para>Where zones are nested, the CONTINUE policy in <ulink
    url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
    are within multiple zones to be managed under the rules of all of these
    zones.</para>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para><filename>/etc/shorewall/zones</filename>:</para>

    <programlisting>        #ZONE    TYPE        OPTION
        fw       firewall
        net      ipv4
        sam:net  ipv4
        loc      ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

    <programlisting>        #ZONE     INTERFACE     BROADCAST     OPTIONS
        -         eth0          detect        dhcp,norfc1918
        loc       eth1          detect</programlisting>

    <para><filename>/etc/shorewall/hosts</filename>:</para>

    <programlisting>        #ZONE     HOST(S)                     OPTIONS
        net       eth0:0.0.0.0/0
        sam       eth0:206.191.149.197</programlisting>

    <para><filename>/etc/shorewall/policy</filename>:</para>

    <programlisting>        #SOURCE      DEST        POLICY       LOG LEVEL
        loc          net         ACCEPT
        sam          all         CONTINUE
        net          all         DROP         info
        all          all         REJECT       info</programlisting>

    <para>The second entry above says that when Sam is the client, connection
    requests should first be processed under rules where the source zone is
    sam and if there is no match then the connection request should be treated
    under rules where the source zone is net. It is important that this policy
    be listed BEFORE the next policy (net to all). You can have this policy
    generated for you automatically by using the IMPLICIT_CONTINUE option in
    <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>

    <para>Partial <filename>/etc/shorewall/rules</filename>:</para>

    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
        ...
        DNAT      sam       loc:192.168.1.3 tcp      ssh
        DNAT      net       loc:192.168.1.5 tcp      www
        ...</programlisting>

    <para>Given these two rules, Sam can connect to the firewall's internet
    interface with ssh and the connection request will be forwarded to
    192.168.1.3. Like all hosts in the net zone, Sam can connect to the
    firewall's internet interface on TCP port 80 and the connection request
    will be forwarded to 192.168.1.5. The order of the rules is not
    significant. Sometimes it is necessary to suppress port forwarding for a
    sub-zone. For example, suppose that all hosts can SSH to the firewall and
    be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
    firewall's external IP, he should be connected to the firewall itself.
    Because of the way that Netfilter is constructed, this requires two rules
    as follows:</para>

    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
        ...
        ACCEPT+   sam       $FW             tcp      ssh
        DNAT      net       loc:192.168.1.3 tcp      ssh
        ...</programlisting>

    <para>The first rule allows Sam SSH access to the firewall. The second
    rule says that any clients from the net zone with the exception of those
    in the “sam” zone should have their connection port forwarded to
    192.168.1.3. If you need to exclude more than one zone, simply use
    multiple ACCEPT+ rules. This technique also may be used when the ACTION is
    REDIRECT.</para>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/zones</para>

    <para>/etc/shorewall/interfaces</para>

    <para>/etc/shorewall/hosts</para>

    <para>/etc/shorewall/policy</para>

    <para>/etc/shorewall/rules</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
</refentry>