Shorewall users - Apr 2004 - Configuration question with multiple zones on one interface

Hi,

I want to replace the currently running script on our internal firewall with 
shorewall. The external firewall already has a working config (tested a bit 
but it''s not in production right now). The internal firewall gives me
kind of
a headache though. I am not able to test this out right now, as the firewall 
is still in production. Unfortunately our setup is a lil different from the 
corporate example.

The firewall will have 4 interfaces (currently there are only 2). One 
interface will go to the internal net, another interface to a second 
physically different internal net and a third to yet another physical net. 
The fourth interface faces the outside which consists of:

a) A DMZ (X.X.X.72/29)           (we got a /28 which was partitioned into
b) Some other net (X.X.X.64/29)  (these two nets and it will stay this way)
c) The internet

The .XX numbers are all from the official X.X.X.64/28 net assigned to us by 
ISP1. ISP1 Router is gw on the external fw. ISP2 Router is a DSL Router which 
the external fw can reach through a rfc1918 net. The DSL Router does NAT but 
we have no access to it. All internal hosts do their websurfing through the 
DSL Router, which means they are NATed by the internal fw. The external fw 
then SNATs all traffic not destined to one of our DMZ servers to 
192.168.0.142 and sends it to the DSL router. The rest goes out to the ISP1 
router with the actual IP of the host.

The external firewall does not do any NAT it only routes and has some DENY 
rules. The DMZ hosts have official IPs from the X.X.X.72/29 net.

ISP1 Router (.65)                --- DMZ
     |                           |
     | (.67)                     |
     -------- external fw (.73)------ (.74) internal fw --- (internal nets)
     | (192.168.0.142)
     |
ISP2 DSL Router (192.168.0.254)

The zones I would like to have on the internal fw now are:

1) some internal zones, no problem here
2) DMZ Zone X.X.X.72/29, no problem either
3) ''some'' other zone for the rest of the internet

The headache starts when I try to think of a way to define what hosts are in 
the zones in the ''hosts'' file.

internal1    eth1:XXXX
internal2    eth2:YYYY
internal3    eth3:ZZZZ
dmz          eth4:X.X.X.72/29
some-zone    eth4: <now what?>

Can anyone comment on this? Am I the talented fool who has missed something in 
the documentation?


Alex

Alexander Gretencord wrote:

> 
> The zones I would like to have on the internal fw now are:
> 
> 1) some internal zones, no problem here
Do these really need to be separate zones? You are firewalling the zones 
from each other?
> 2) DMZ Zone X.X.X.72/29, no problem either
> 3) ''some'' other zone for the rest of the internet
/etc/shorewall/zones (THE ORDER IS IMPORTANT!)

dmz
some-zone	#Obviously that name is way to long as are the 	
		"internalN" zone names. I will use the names
		s_z and intN
net
...
> 
> The headache starts when I try to think of a way to define what hosts are
in
> the zones in the ''hosts'' file.
> 
> internal1    eth1:XXXX
> internal2    eth2:YYYY
> internal3    eth3:ZZZZ
No!! Each of these zones is associated with an interface. Simply define 
them in the /etc/shorewall/interfaces file. You can also define
''net'' in
the interfaces file then define the sub-zones of ''net'' in 
/etc/shorewall/hosts.

/etc/shorewall/interfaces

net	eth4	<list bcast addrs>	<options>
int1	eth1	...
int2	eth2	...
int3	eth3	...
> dmz          eth4:X.X.X.72/29
> some-zone    eth4: <now what?>
/etc/shorewall/hosts:

dmz	eth4:X.X.X.72/29
s_z	eth4:X.X.X.64/29

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 14 April 2004 17:15, Tom Eastep wrote:
> /etc/shorewaftell/zones (THE ORDER IS IMPORTANT!)
Yeah I read that, does this mean I can have a "some_zone X.X.X.64/29"
and a
"net 0.0.0.0/0" as the last and it would work? This is what I would
have
tried out if I had the chance.

> some-zone	#Obviously that name is way to long as are the
> 		"internalN" zone names. I will use the names
> 		s_z and intN
Of course they will get shorter names in my files I''m really lazy :P
> > internal1    eth1:XXXX
> > internal2    eth2:YYYY
> > internal3    eth3:ZZZZ
>
> No!! Each of these zones is associated with an interface. Simply define
> them in the /etc/shorewall/interfaces file. You can also define
''net'' in
> the interfaces file then define the sub-zones of ''net'' in
> /etc/shorewall/hosts. 
Mh well at least one of these zones will have more than one subnet in 
192.168.0.0/16 in it. We have several organisations for which we provide 
internet access and as the firewall comp has not enough pci slots we will 
have at least two subnets on one physical net again (currently all internal 
nets though logically in different 192.168.X.0/24 subnets are physically the 
same)
> /etc/shorewall/hosts:
>
> dmz	eth4:X.X.X.72/29
> s_z	eth4:X.X.X.64/29
but what about "the internet". I might want to handle the .64/29 net
specially
so that I would create a zone for it but right now those computers are like 
all the other computer on the net. How do I say "zone:193.167.212.25"
is
allowed to connect via ssh if zone means "the internet"? If I want to
allow
one of our ''external'' IPs from the 64/29 net I''d say

ACCEPT s_z:X.X.X.66 tcp 22

But how would I say it in that configuration? I have no real internet zone 
with that setup, do I? Maybe I''ll understand you better in the morning
and
I''m talking nosense right now becuase I''m drunk, but if you
understand my
problem please answer again :)


Alex

Alexander Gretencord wrote:
> Maybe I''ll understand you better in the morning and 
> I''m talking nosense right now becuase I''m drunk, but if
you understand my
> problem please answer again :)
When you have sobered up, look at my response again. And if there are 
undisclosed issues like the 192.168.0.0/16 network then I don''t know
how
I can tell you how to handle them if you don''t tell me that they need
to
be handled.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 14 April 2004 17:15, Tom Eastep wrote:
> Do these really need to be separate zones? You are firewalling the zones
> from each other?
Yes. Some internal zones are allowed to communicate with other internal zones, 
others are only allowed to the net or a specific host in another zone.
> You can also define ''net'' in the interfaces file then
define the sub-zones
> of ''net'' in /etc/shorewall/hosts.
Ah I think I got it. net as "the whole internet on eth4" and our dmz
and the
other subnet as sub-zone of that.

Thx.


Alex

Alexander Gretencord wrote:
> On Wednesday 14 April 2004 17:15, Tom Eastep wrote:
> 
>>Do these really need to be separate zones? You are firewalling the zones
>>from each other?
> 
> 
> Yes. Some internal zones are allowed to communicate with other internal
zones,
> others are only allowed to the net or a specific host in another zone.
> 
Ok.
> 
>>You can also define ''net'' in the interfaces file then
define the sub-zones
>>of ''net'' in /etc/shorewall/hosts.
> 
> 
> Ah I think I got it. net as "the whole internet on eth4" and our
dmz and the
> other subnet as sub-zone of that.
> 
You''ve got it!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net