Although 1.4 is now released, there is one aspect of Shorewall''s design that I''m still quite unhappy with. It involves two areas: a) when and when not to create rules to allow inbound traffic on an interface to be routed back out that same interface. b) intrazone traffic. I''m currently running 1.4.0 plus a change that: a) Allows intrazone traffic unconditionally -- there''s no way to turn it off. b) Implements a NONE policy. This policy may not be overridden by rules and basically tells Shorewall to assume that there will never be any traffic from the SOURCE to the DESTINATION. Note that you would normally specify NONE policies in pairs since if there can''t be any traffic in one direction, then except in cases of asymetric routing, there can''t be any in the other direction either. c) Never creates any rules to route an interface:<network> to itself. The advantages of this change are: a) People expect intrazone traffic to be transparent and now it is (fewer surprises). Also avoids extra rules created by "Z Z ACCEPT" policies. b) Using the NONE policy, you can reduce the number of rules that packets must traverse by removing the rules for impossible source/destination combinations in the <interface>_fwd chains. The disadvantages are: a) This is an incompatible change. 1 - if you have intra-zone policies and/or rules, they must be removed. 2 - if you have multiple subnets connected to a single interface and you want Shorewall to route between them then you must define them in the /etc/shorewall/hosts file (even if they are in the same zone). Given that we are early in the 1.4 rollout, I would like to release these changes in the next release (1.4.1) even though I usually don''t release incompatible changes in minor release. Any opinions either way? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Thursday 20 March 2003 03:11 pm, Tom Eastep wrote:> I''m currently running 1.4.0 plus a change that: > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > off.Is this optional? I can see several situations where you would want to seperate some zones from each other, such as when you have servers in the dmz that get infected with the latest MS worm or some such... -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Thu, 20 Mar 2003, John Andersen wrote:> On Thursday 20 March 2003 03:11 pm, Tom Eastep wrote: > > I''m currently running 1.4.0 plus a change that: > > > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > > off. > > Is this optional? > > I can see several situations where you would want to seperate > some zones from each other, such as when you have > servers in the dmz that get infected with the latest MS worm > or some such... >I''ve not changes anything regarding separating one zone from another zone. I''ve only changed the case where systems within a zone must communicate through the firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Thu, 20 Mar 2003, Jeff Oliver wrote:> FWIW, we use the maclist option "intrazone" to make sure people who come > in and just plug into our network (i.e. people''s buddies late at night > to play Quake or whatever) can''t get at various servers or out on the > internet. > > I imagine your change to allow loc <-> loc would not negate our ability > to use this, and it would kill off quite a few useless rules created > from that policy. So I''m for it! >Jeff -- you are correct that ''maclist'' functionality is unaffected by this change. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom Eastep schrieb:> > Although 1.4 is now released, there is one aspect of Shorewall''s design > that I''m still quite unhappy with. It involves two areas: > > a) when and when not to create rules to allow inbound traffic on an > interface to be routed back out that same interface. > > b) intrazone traffic. > > I''m currently running 1.4.0 plus a change that: > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > off. > > b) Implements a NONE policy. This policy may not be overridden by rules > and basically tells Shorewall to assume that there will never be any > traffic from the SOURCE to the DESTINATION. Note that you would normally > specify NONE policies in pairs since if there can''t be any traffic in one > direction, then except in cases of asymetric routing, there can''t be any > in the other direction either. > > c) Never creates any rules to route an interface:<network> to itself. > > The advantages of this change are: > > a) People expect intrazone traffic to be transparent and now it is (fewer > surprises). Also avoids extra rules created by "Z Z ACCEPT" policies.Makes sense to me. I was ''surprised'' more than once because I expected the behaviour you intend to implement now.> > b) Using the NONE policy, you can reduce the number of rules that packets > must traverse by removing the rules for impossible source/destination > combinations in the <interface>_fwd chains. > > The disadvantages are: > > a) This is an incompatible change. > > 1 - if you have intra-zone policies and/or rules, they must be removed.Would be nice if ''shorewall check'' knew about this change :)> 2 - if you have multiple subnets connected to a single interface and > you want Shorewall to route between them then you must define them in the > /etc/shorewall/hosts file (even if they are in the same zone).Seems not a big problem as long as inter-zone policies and/or rules stay the same. So yes, I''d like to see this change! Thanks for the always good work! Simon> > Given that we are early in the 1.4 rollout, I would like to release these > changes in the next release (1.4.1) even though I usually don''t release > incompatible changes in minor release. > > Any opinions either way? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep wrote:> Although 1.4 is now released, there is one aspect of Shorewall''s design > that I''m still quite unhappy with. It involves two areas: > > a) when and when not to create rules to allow inbound traffic on an > interface to be routed back out that same interface. > > b) intrazone traffic. > > I''m currently running 1.4.0 plus a change that: > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > off.This is not good idea at all, I think. On my laptop, I have GPRS connection via ppp0, zone net, ethernet connection via eth0, zone net, wlan card, interface eth1, zone net. Your change makes my laptop router between interfaces while this is not desired function. There is usually no harm done, but there should not be automatic z z ACCEPT policy when there are mote than one interface in zone... -- Tuomo Soini <tis@foobar.fi> http://foobar.fi/
On Fri, 21 Mar 2003, Simon Matter wrote:> Tom Eastep schrieb: > > > > 1 - if you have intra-zone policies and/or rules, they must be removed. > > Would be nice if ''shorewall check'' knew about this change :) >It does -- remember that in 1.4, the code that implements ''check'' is the same code that implements ''[re]start''> > 2 - if you have multiple subnets connected to a single interface and > > you want Shorewall to route between them then you must define them in the > > /etc/shorewall/hosts file (even if they are in the same zone). > > Seems not a big problem as long as inter-zone policies and/or rules stay > the same. > > So yes, I''d like to see this change!Thanks, Simon -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Fri, 21 Mar 2003, Tuomo Soini wrote:> Tom Eastep wrote: > > Although 1.4 is now released, there is one aspect of Shorewall''s design > > that I''m still quite unhappy with. It involves two areas: > > > > a) when and when not to create rules to allow inbound traffic on an > > interface to be routed back out that same interface. > > > > b) intrazone traffic. > > > > I''m currently running 1.4.0 plus a change that: > > > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > > off. > > This is not good idea at all, I think. > > On my laptop, I have GPRS connection via ppp0, zone net, ethernet > connection via eth0, zone net, wlan card, interface eth1, zone net. > > Your change makes my laptop router between interfaces while this is not > desired function. > > There is usually no harm done, but there should not be automatic z z > ACCEPT policy when there are mote than one interface in zone... >I disagree -- if they are separate interfaces and you want to control the traffic between them then they should be separate zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Fri, 21 Mar 2003, Tom Eastep wrote:> On Fri, 21 Mar 2003, Tuomo Soini wrote: > > > Tom Eastep wrote: > > > > > > a) Allows intrazone traffic unconditionally -- there''s no way to turn it > > > off. > > > > This is not good idea at all, I think. > > > > On my laptop, I have GPRS connection via ppp0, zone net, ethernet > > connection via eth0, zone net, wlan card, interface eth1, zone net. > > > > Your change makes my laptop router between interfaces while this is not > > desired function. > > > > There is usually no harm done, but there should not be automatic z z > > ACCEPT policy when there are mote than one interface in zone... > > > > I disagree -- if they are separate interfaces and you want to control the > traffic between them then they should be separate zones. >Ok -- how about a compromise. If you have no Z->Z policy or rules then the default behavior is to ACCEPT all traffic from Z->Z. If you do specify a Z->Z policy or if you have Z->Z rules then those rules/policies are enforced. If you have rules but no explicit policy then the first implicitly matching policy applies. Will that work for you? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Ok -- how about a compromise. If you have no Z->Z policy or rules then the > default behavior is to ACCEPT all traffic from Z->Z. If you do specify a > Z->Z policy or if you have Z->Z rules then those rules/policies are > enforced.Sounds reasonable. Let me give one other example where you want to limit inter-zone traffic. You want to make sure that traffic coming from ipsec and going out to same ipsec device is permitted. That''s real security thing. You chan have ipsec tunnel to two different companies and want to be sure there is no traffic between them. On other hand some configurations require this z-z traffic...> If you have rules but no explicit policy then the first implicitly > matching policy applies.Sounds ok. It makes possible to use old configuration without changes and makes it so easier.> Will that work for you?Yes. In fact that default ACCEPT policy works for me too when it''s documented so that there is warning about effects it can cause. -- Tuomo Soini <tis@foobar.fi> http://foobar.fi/
On Fri, 21 Mar 2003, Tuomo Soini wrote:> Tom Eastep wrote: > > > > Will that work for you? > > Yes. In fact that default ACCEPT policy works for me too when it''s > documented so that there is warning about effects it can cause. >Ok -- we''ll do it that way. Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Fri, 21 Mar 2003, Tuomo Soini wrote:> > Sounds reasonable. Let me give one other example where you want to limit > inter-zone traffic.I assume that you meant "intra-zone".> You want to make sure that traffic coming from ipsec > and going out to same ipsec device is permitted."Not" permitted, maybe?> That''s real security > thing. You chan have ipsec tunnel to two different companies and want to > be sure there is no traffic between them. On other hand some > configurations require this z-z traffic... >But of course, you can also make each company its own zone too... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net