forked from extern/shorewall_code
c93817f30b
The invariant sections clause doesn't quite match the official text. It should read: with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts not: with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
367 lines
14 KiB
XML
367 lines
14 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article id="Multiple_Zones">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Routing on One Interface</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2003-2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
4.3.5 then please see the documentation for that
|
|
release.</emphasis></para>
|
|
</caution>
|
|
|
|
<section id="Intro">
|
|
<title>Introduction</title>
|
|
|
|
<para>While most configurations can be handled with each of the firewall's
|
|
network interfaces assigned to a single zone, there are cases where you
|
|
will want to divide the hosts accessed through an interface between two or
|
|
more zones.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The interface has multiple addresses on multiple subnetworks.
|
|
This case is covered in the <ulink
|
|
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
|
documentation</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You are using some form of NAT and want to access a server by
|
|
its external IP address from the same LAN segment. This is covered in
|
|
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>There are routers accessible through the interface and you want
|
|
to treat the networks accessed through that router as a separate
|
|
zone.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Some of the hosts accessed through an interface have
|
|
significantly different firewalling requirements from the others so
|
|
you want to assign them to a different zone.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The key points to keep in mind when setting up multiple zones per
|
|
interface are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall generates rules for zones in the order that the zone
|
|
declarations appear in /etc/shorewall/zones unless you modify the
|
|
processing order using the explicit
|
|
<emphasis>child-zone</emphasis>:<emphasis>parent-zone</emphasis>
|
|
syntax, in which case the child zone rules are generated first.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
|
far as the generated rule set is concerned.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">These examples use the local zone but the same
|
|
technique works for any zone.</emphasis> Remember that Shorewall doesn't
|
|
have any conceptual knowledge of <quote>Internet</quote>,
|
|
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
|
|
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
|
|
the examples use private (RFC 1918) addresses but public IP addresses can
|
|
be used in exactly the same way.</para>
|
|
</section>
|
|
|
|
<section id="Router">
|
|
<title>Router in the Local Zone</title>
|
|
|
|
<para>Here is an example of a router in the local zone.</para>
|
|
|
|
<note>
|
|
<para>the <emphasis role="bold">box called <quote>Router</quote> could
|
|
be a VPN server</emphasis> or other such device; from the point of view
|
|
of this discussion, it makes no difference.</para>
|
|
</note>
|
|
|
|
<graphic fileref="images/MultiZone1.png"/>
|
|
|
|
<section id="Standard">
|
|
<title>Can You Use the Standard Configuration?</title>
|
|
|
|
<para>In many cases, the <ulink url="two-interface.htm">standard
|
|
two-interface Shorewall setup</ulink> will work fine in this
|
|
configuration. It will work if:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The firewall requirements to/from the Internet are the same
|
|
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The hosts in 192.168.1.0/24 know that the route to
|
|
192.168.2.0/24 is through the <emphasis
|
|
role="bold">router</emphasis>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>All you have to do on the firewall is add a route to
|
|
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
|
restart Shorewall.</para>
|
|
</section>
|
|
|
|
<section id="Enough">
|
|
<title>Will One Zone be Enough?</title>
|
|
|
|
<para>If the firewalling requirements for the two local networks is the
|
|
same but the hosts in 192.168.1.0/24 don't know how to route to
|
|
192.168.2.0/24 then you need to configure the firewall slightly
|
|
differently. This type of configuration is rather stupid from an IP
|
|
networking point of view but it is sometimes necessary because you
|
|
simply don't want to have to reconfigure all of the hosts in
|
|
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
|
firewall:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
|
role="bold">Router</emphasis>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set the <quote>routeback</quote> option for eth1 (the local
|
|
firewall interface) in /etc/shorewall/interfaces.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Restart Shorewall.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="Separate">
|
|
<title>I Need Separate Zones</title>
|
|
|
|
<para>If you need to make 192.168.2.0/24 into its own zone, you can do
|
|
it one of two ways; Nested Zones or Parallel Zones.</para>
|
|
|
|
<section id="Nested">
|
|
<title>Nested Zones</title>
|
|
|
|
<para>You can define one zone (called it <quote>loc</quote>) as being
|
|
all hosts connected to eth1 and a second zone <quote>loc1</quote>
|
|
(192.168.2.0/24) as a sub-zone.</para>
|
|
|
|
<graphic fileref="images/MultiZone1A.png"/>
|
|
|
|
<para><note>
|
|
<para>The Router in the above diagram is assumed to NOT be doing
|
|
SNAT for the hosts in the 192.168.2.0/24 network.</para>
|
|
</note>The advantage of this approach is that the zone
|
|
<quote>loc1</quote> can use CONTINUE policies such that if a
|
|
connection request doesn't match a <quote>loc1</quote> rule, it will
|
|
be matched against the <quote>loc</quote> rules. For example, if your
|
|
loc1->net policy is CONTINUE then if a connection request from loc1
|
|
to the Internet doesn't match any rules for loc1->net then it will
|
|
be checked against the loc->net rules.</para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
loc ipv4
|
|
loc1:loc ipv4</programlisting>
|
|
|
|
<note>
|
|
<para>the Parent zone (loc) is defined first then the sub-zone
|
|
(loc1) is defined using the special syntax shown.</para>
|
|
</note>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
loc eth1 -</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS OPTIONS
|
|
loc1 eth1:192.168.2.0/24 -</programlisting>
|
|
|
|
<para>If you don't need Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
|
|
two policies.</para>
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc loc1 NONE
|
|
loc1 loc NONE</programlisting>
|
|
</section>
|
|
|
|
<section id="Parallel">
|
|
<title>Parallel Zones</title>
|
|
|
|
<para>You define both zones in the /etc/shorewall/hosts file to create
|
|
two disjoint zones.</para>
|
|
|
|
<graphic fileref="images/MultiZone1B.png"/>
|
|
|
|
<para><note>
|
|
<para>The Router in the above diagram is assumed to NOT be doing
|
|
SNAT for the hosts in the 192.168.2.0/24 network.</para>
|
|
</note><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
loc1 ipv4
|
|
loc2 ipv4</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
- eth1 -
|
|
</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS OPTIONS
|
|
loc1 eth1:192.168.1.0/24 -
|
|
loc2 eth1:192.168.2.0/24 -</programlisting>
|
|
|
|
<para>You don't need Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
|
these two policies:</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc1 loc2 NONE
|
|
loc2 loc1 NONE</programlisting>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="Special">
|
|
<title>Some Hosts have Special Firewalling Requirements</title>
|
|
|
|
<para>There are cases where a subset of the addresses associated with an
|
|
interface need special handling. Here's an example.</para>
|
|
|
|
<graphic fileref="images/MultiZone2.png"/>
|
|
|
|
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
|
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
loc ipv4
|
|
loc1:loc ipv4</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE
|
|
loc eth1</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
|
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
|
|
|
<para>The <option>broadcast</option> option causes limited broadcasts
|
|
(destination IP address 255.255.255.255) to be checked against the loc1
|
|
zone. If that zone allows the packet, then of course it will be seen by
|
|
the mempers of loc that are outside of loc1 as well. If the broadcast is
|
|
not specifically DROPped by the fw->loc1 rules then it will also be
|
|
checked against the fw->loc rules, even if there is a DROP or REJECT
|
|
fw->loc1 policy.</para>
|
|
|
|
<para>You probably don't want Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote> so you should
|
|
add these two policies.</para>
|
|
|
|
<para><filename>/etc/shorewall/policy</filename></para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc loc1 NONE
|
|
loc1 loc NONE</programlisting>
|
|
</section>
|
|
|
|
<section id="OneArmed">
|
|
<title>One-armed Router</title>
|
|
|
|
<para>Nested zones may also be used to configure a
|
|
<quote>one-armed</quote> router (I don't call it a <quote>firewall</quote>
|
|
because it is very insecure. For example, if you connect to the Internet
|
|
via cable modem, your next door neighbor has full access to your local
|
|
systems as does everyone else connected to the same cable modem head-end
|
|
controller). Here eth0 is configured with both a public IP address and an
|
|
RFC 1918 address (More on that topic may be found <ulink
|
|
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
|
|
<quote>loc</quote> zone are configured with their default gateway set to
|
|
the Shorewall router's RFC1918 address.</para>
|
|
|
|
<para><graphic fileref="images/MultiZone3.png"/></para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
net ipv4
|
|
loc:net ipv4</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
net eth0 routefilter</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS OPTIONS
|
|
loc eth0:192.168.1.0/24 maclist</programlisting>
|
|
|
|
<para><filename><filename>/etc/shorewall/masq</filename></filename></para>
|
|
|
|
<programlisting>#INTERFACE SOURCE ADDRESS
|
|
eth0:!192.168.1.0/24 192.168.1.0/24</programlisting>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
MASQUERADE 0.0.0.0/0 eth0:!192.168.1.0/24</programlisting>
|
|
|
|
<para>Note that the <emphasis role="bold">maclist</emphasis> option is
|
|
specified in <filename>/etc/shorewall/interfaces</filename>. This is to
|
|
help protect your router from unauthorized access by your friends and
|
|
neighbors. Start without <emphasis role="bold">maclist</emphasis> then add
|
|
it and configure your <ulink
|
|
url="MAC_Validation.html"><filename>/etc/shorewall/maclist</filename></ulink>
|
|
file when everything else is working.</para>
|
|
</section>
|
|
</article>
|