forked from extern/shorewall_code
39a54f211e
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2135 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
365 lines
14 KiB
XML
365 lines
14 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="Multiple_Zones">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Routing on One Interface</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-05-15</pubdate>
|
|
|
|
<copyright>
|
|
<year>2003-2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>While most configurations can be handled with each of the firewall's
|
|
network interfaces assigned to a single zone, there are cases where you
|
|
will want to divide the hosts accessed through an interface between two or
|
|
more zones.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The interface has multiple addresses on multiple subnetworks.
|
|
This case is covered in the <ulink
|
|
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
|
documentation</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You are using some form of NAT and want to access a server by
|
|
its external IP address from the same LAN segment. This is covered in
|
|
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>There are routers accessible through the interface and you want
|
|
to treat the networks accessed through that router as a separate
|
|
zone.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Some of the hosts accessed through an interface have
|
|
significantly different firewalling requirements from the others so
|
|
you want to assign them to a different zone.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The key points to keep in mind when setting up multiple zones per
|
|
interface are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall generates rules for zones in the order that the zone
|
|
declarations appear in /etc/shorewall/zones.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
|
far as the generated ruleset is concerned.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">These examples use the local zone but the same
|
|
technique works for any zone.</emphasis> Remember that Shorewall doesn't
|
|
have any conceptual knowledge of <quote>Internet</quote>,
|
|
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
|
|
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
|
|
the examples use private (RFC 1918) addresses but public IP addresses can
|
|
be used in exactly the same way.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Router in the Local Zone</title>
|
|
|
|
<para>Here is an example of a router in the local zone.</para>
|
|
|
|
<note>
|
|
<para>the <emphasis role="bold">box called <quote>Router</quote> could
|
|
be a VPN server</emphasis> or other such device; from the point of view
|
|
of this discussion, it makes no difference.</para>
|
|
</note>
|
|
|
|
<graphic fileref="images/MultiZone1.png" />
|
|
|
|
<section>
|
|
<title>Can You Use the Standard Configuration?</title>
|
|
|
|
<para>In many cases, the <ulink url="two-interface.htm">standard
|
|
two-interface Shorewall setup</ulink> will work fine in this
|
|
configuration. It will work if:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The firewall requirements to/from the internet are the same
|
|
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The hosts in 192.168.1.0/24 know that the route to
|
|
192.168.2.0/24 is through the <emphasis
|
|
role="bold">router</emphasis>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>All you have to do on the firewall is add a route to
|
|
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
|
restart Shorewall.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Will One Zone be Enough?</title>
|
|
|
|
<para>If the firewalling requirements for the two local networks is the
|
|
same but the hosts in 192.168.1.0/24 don't know how to route to
|
|
192.168.2.0/24 then you need to configure the firewall slightly
|
|
differently. This type of configuration is rather stupid from an IP
|
|
networking point of view but it is sometimes necessary because you
|
|
simply don't want to have to reconfigure all of the hosts in
|
|
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
|
firewall:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
|
role="bold">Router</emphasis>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
|
|
options for eth1 (the local firewall interface) in
|
|
/etc/shorewall/interfaces.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Restart Shorewall.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>If this still doesn't work at all or if it works for connections
|
|
in one direction but not for connections in the other direction
|
|
then:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>You must be running Shorewall version 2.0.16 or later;
|
|
and</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You need to set DROPINVALID=No in
|
|
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>I Need Separate Zones</title>
|
|
|
|
<para>If you need to make 192.168.2.0/24 into it's own zone, you can do
|
|
it one of two ways; Nested Zones or Parallel Zones. Again, it is likely
|
|
that you will need to be running Shorewall 2.0.16 or later and that you
|
|
will have to set DROPINVALID=No in
|
|
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
|
|
|
<section>
|
|
<title>Nested Zones</title>
|
|
|
|
<para>You can define one zone (called it <quote>loc</quote>) as being
|
|
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
|
|
(192.168.2.0/24) as a sub-zone.</para>
|
|
|
|
<graphic fileref="images/MultiZone1A.png" />
|
|
|
|
<para>The advantage of this approach is that the zone
|
|
<quote>loc1</quote> can use CONTINUE policies such that if a
|
|
connection request doesn't match a <quote>loc1</quote> rule, it will
|
|
be matched against the <quote>loc</quote> rules. For example, if your
|
|
loc1->net policy is CONTINUE then if a connection request from loc1
|
|
to the internet doesn't match any rules for loc1->net then it will
|
|
be checked against the loc->net rules.</para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
loc1 Local1 Hosts accessed through internal router
|
|
loc Local All hosts accessed via eth1</programlisting>
|
|
|
|
<note>
|
|
<para>the sub-zone (loc1) is defined first!</para>
|
|
</note>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
loc eth1 192.168.1.255</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS
|
|
loc1 eth1:192.168.2.0/24</programlisting>
|
|
|
|
<para>If you don't need Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
|
|
two policies.</para>
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc loc1 NONE
|
|
loc1 loc NONE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Parallel Zones</title>
|
|
|
|
<para>You define both zones in the /etc/shorewall/hosts file to create
|
|
two disjoint zones.</para>
|
|
|
|
<graphic fileref="images/MultiZone1B.png" />
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
loc1 Local1 Hosts accessed Directly from Firewall
|
|
loc2 Local2 Hosts accessed via the internal Router</programlisting>
|
|
|
|
<note>
|
|
<para>Here it doesn't matter which zone is defined first.</para>
|
|
</note>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
- eth1 192.168.1.255</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS
|
|
loc1 eth1:192.168.1.0/24
|
|
loc2 eth1:192.168.2.0/24</programlisting>
|
|
|
|
<para>You don't need Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
|
these two policies:</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc1 loc2 NONE
|
|
loc2 loc1 NONE</programlisting>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Some Hosts have Special Firewalling Requirements</title>
|
|
|
|
<para>There are cases where a subset of the addresses associated with an
|
|
interface need special handling. Here's an example.</para>
|
|
|
|
<graphic fileref="images/MultiZone2.png" />
|
|
|
|
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
|
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
loc1 Local1 192.168.1.8-192.168.1.15
|
|
loc Local All hosts accessed via eth1</programlisting>
|
|
|
|
<note>
|
|
<para>the sub-zone (loc1) is defined first!</para>
|
|
</note>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
loc eth1 192.168.1.255</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
|
loc1 eth1:192.168.1.8/29</programlisting></para>
|
|
|
|
<para>You probably don't want Shorewall to set up infrastructure to route
|
|
traffic between <quote>loc</quote> and <quote>loc1</quote> so you should
|
|
add these two policies.</para>
|
|
|
|
<para><filename>/etc/shorewall/policy</filename></para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY
|
|
loc loc1 NONE
|
|
loc1 loc NONE</programlisting>
|
|
</section>
|
|
|
|
<section id="OneArmed">
|
|
<title>One-armed Router</title>
|
|
|
|
<para>Nested zones may also be used to configure a
|
|
<quote>one-armed</quote> router (I don't call it a <quote>firewall</quote>
|
|
because it is very insecure. For example, if you connect to the internet
|
|
via cable modem, your next door neighbor has full access to your local
|
|
systems as does everyone else connected to the same cable modem head-end
|
|
controller). Here eth0 is configured with both a public IP address and an
|
|
RFC 1918 address (More on that topic may be found <ulink
|
|
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
|
|
<quote>loc</quote> zone are configured with their default gateway set to
|
|
the Shorewall router's RFC1918 address.</para>
|
|
|
|
<para><graphic fileref="images/MultiZone3.png" /></para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename></para>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
loc Local Local Zone
|
|
net Internet The big bad Internet</programlisting>
|
|
|
|
<note>
|
|
<para>the sub-zone (loc) is defined first!</para>
|
|
</note>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
net eth0 detect</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
|
|
|
<programlisting>#ZONE HOSTS OPTIONS
|
|
loc eth0:192.168.1.0/24 maclist</programlisting>
|
|
|
|
<para><filename><filename>/etc/shorewall/masq</filename></filename></para>
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
|
eth0:!192.168.1.0/24 192.168.1.0/24</programlisting>
|
|
|
|
<para>Note that the maclist option is specified in
|
|
<filename>/etc/shorewall/interfaces</filename>. This is to help protect
|
|
your router from unauthorized access by your friends and neighbors. Start
|
|
without maclist then add it and configure your <ulink
|
|
url="MAC_Validation.html"><filename>/etc/shorewall/maclist</filename></ulink>
|
|
file when everything else is working.</para>
|
|
</section>
|
|
</article> |