forked from extern/shorewall_code
166 lines
6.0 KiB
XML
166 lines
6.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall6-nesting</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>nesting</refname>
|
|
|
|
<refpurpose>shorewall6 Nested Zones</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<arg choice="plain"
|
|
rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
|
|
zone may be declared to be a sub-zone of one or more other zones using the
|
|
above syntax.</para>
|
|
|
|
<para>Where zones are nested, the CONTINUE policy in <ulink
|
|
url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
|
that are within multiple zones to be managed under the rules of all of
|
|
these zones.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
|
|
|
<programlisting> #ZONE TYPE OPTION
|
|
fw firewall
|
|
net ipv6
|
|
sam:net ipv6
|
|
loc ipv6</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
|
|
|
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
- eth0 detect blacklist
|
|
loc eth1 detect</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/hosts</filename>:</para>
|
|
|
|
<programlisting> #ZONE HOST(S) OPTIONS
|
|
net eth0:[::\]
|
|
sam eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
|
|
|
<programlisting> #SOURCE DEST POLICY LOG LEVEL
|
|
loc net ACCEPT
|
|
sam all CONTINUE
|
|
net all DROP info
|
|
all all REJECT info</programlisting>
|
|
|
|
<para>The second entry above says that when Sam is the client, connection
|
|
requests should first be processed under rules where the source zone is
|
|
sam and if there is no match then the connection request should be treated
|
|
under rules where the source zone is net. It is important that this policy
|
|
be listed BEFORE the next policy (net to all). You can have this policy
|
|
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
|
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
...
|
|
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
|
|
ACCEPT net loc:2001:19f0:feee::5 tcp www
|
|
...</programlisting>
|
|
|
|
<para>Given these two rules, Sam can connect with ssh to
|
|
2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
|
|
port 80 on 2001:19f0:feee::5. The order of the rules is not
|
|
significant.</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id="Virtual">
|
|
<title>Virtual Zones</title>
|
|
|
|
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
|
|
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
|
|
<filename>/etc/shorewall6/interfaces</filename> or in
|
|
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
|
|
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
|
|
|
<programlisting> #ZONE TYPE OPTIONS
|
|
fw firewall
|
|
net ipv6
|
|
loc virtual #Virtual Zone
|
|
loc1:loc ipv6
|
|
loc2:loc ipv6</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect dhcp,tcpflags
|
|
- eth1 detect tcpflags</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
|
|
|
<programlisting> #ZONE HOST(S) OPTIONS
|
|
loc1 eth1:2001:19f0:feee:1::/48
|
|
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
|
|
|
|
<para>There are several restrictions on virtual zones:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A maximum of four virtual zones may be defined.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>When a connection request to/from a sub-zone of a virtual zone does
|
|
not match the rules for the sub-zone, the connection is compared against
|
|
the rules (and policies) for the parent virtual zone.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall6/zones</para>
|
|
|
|
<para>/etc/shorewall6/interfaces</para>
|
|
|
|
<para>/etc/shorewall6/hosts</para>
|
|
|
|
<para>/etc/shorewall6/policy</para>
|
|
|
|
<para>/etc/shorewall6/rules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
|
shorewall6-providers(5), shorewall6-route_rules(5),
|
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
|
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|