thr3ads.net - Shorewall users - Interface options with parallel zones [Apr 2014]

If this information is useful, please help other people find it:
Share via:
Hervé Werner
2014-Apr-14 17:11 UTC
Interface options with parallel zones

Hello.


I would like to protect my laptop with Shorewall in the following
network environment :
 - user machine not acting as a router having 2 network interfaces :
eth0 and wan0
 - 2 zones : local (internal networks) and internet
 - allow some traffic from loc zone (ping, SSH) but however protects
incoming traffic from loc as it came from net (smurfs, tcpflags,
etc...)


I tried to setup parallel zones in order to fully separate networks.
However when looking at the rules generated by Shorewall, it excludes
all smurfs and tcpflags checks from loc zone :

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
   49  6016 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  105  145K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
   49  6016 ~excl0     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpts:67:68
    0     0 ~excl1     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0
   49  6016 ~excl4     all  --  *      *       0.0.0.0/0
0.0.0.0/0
   49  6016 loc-fw     all  --  *      *       192.168.50.0/24
0.0.0.0/0
    0     0 loc-fw     all  --  *      *       10.30.0.0/19
0.0.0.0/0
    0     0 loc-fw     all  --  *      *       172.16.10.0/29
0.0.0.0/0

Chain ~excl0 (2 references)
 pkts bytes target     prot opt in     out     source
destination
   49  6016 RETURN     all  --  *      *       192.168.50.0/24
0.0.0.0/0
    0     0 RETURN     all  --  *      *       10.30.0.0/19
0.0.0.0/0
    0     0 RETURN     all  --  *      *       172.16.10.0/29
0.0.0.0/0
    0     0 smurfs     all  --  *      *       0.0.0.0/0
0.0.0.0/0           [goto]

Chain ~excl1 (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 RETURN     all  --  *      *       192.168.50.0/24
0.0.0.0/0
    0     0 RETURN     all  --  *      *       10.30.0.0/19
0.0.0.0/0
    0     0 RETURN     all  --  *      *       172.16.10.0/29
0.0.0.0/0
    0     0 tcpflags   all  --  *      *       0.0.0.0/0
0.0.0.0/0           [goto]

I'm not sure whether this behaviour is intended because I did not tell
to not check loc zone.

Also I could not tell Shorewall to consider either eth0 or wlan0 for
the loc & net zones. When adding wlan0 in the interfaces file :

-       eth0
optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_filter=1,arp_ignore=2
-       wan0
optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_filter=1,arp_ignore=2


I'm getting this error :    ERROR: A provider interface must have at
least one associated zone.


On the other side nested zones seems to work as expected. Is it the
only way for my case ?

Thanks.

H. Werner


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Shorewall users - Apr 2014 - Interface options with parallel zones

Interface options with parallel zones
