Shorewall users - Aug 2002 - question about zones

2 questions
1) I want to set up a zone of trusted IP addresses (opposite of blacklist),
I''ve seen that question being asked in the mailing list before but I
haven''t seen
any example.
If want to set up a zone for IP addresses 195.X.X.1-2, do I have to setup my
host file like:
 
trusted1    eth1:195.X.X.1
trusted1    eth1:195.X.X.2
 
2) I want an "all" zone (for say I want to allow ssh access from
anywhere),
do I set up my host file like:
 
all
 
 
Rgds
Dom

On Mon, 12 Aug 2002, Cressatti, Dominique wrote:
> 2 questions
> 1) I want to set up a zone of trusted IP addresses (opposite of blacklist),
> I''ve seen that question being asked in the mailing list before but
I haven''t seen
> any example.
> If want to set up a zone for IP addresses 195.X.X.1-2, do I have to setup
my host file like:
>  
> trusted1    eth1:195.X.X.1
> trusted1    eth1:195.X.X.2
>
Yes (only you need to observe the 5-character limit on zone names) --
perhaps http://www.shorewall.net/whitelisting_under_shorewall.htm can help
you.
  
> 2) I want an "all" zone (for say I want to allow ssh access from
anywhere),
> do I set up my host file like:
>  
For that, you will have to have individual rules or place a rule in 
/etc/shorewall/common that permits ssh.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--0-467833925-1029342775=:98968
Content-Type: text/plain; charset=us-ascii

 Well my first question is why do they deny loc to loc ? The next question what
is DMZ zone?  I am running Two interface script on my system. Eth0 Internet Eth1
Loc Thanks.


---------------------------------
Do You Yahoo!?
HotJobs, a Yahoo! service - Search Thousands of New Jobs
--0-467833925-1029342775=:98968
Content-Type: text/html; charset=us-ascii

 Well my first question is why do they deny loc to loc ? The next
question what is DMZ zone?  I am running Two interface script on my
system. Eth0 Internet Eth1 Loc Thanks.
<p><br><hr size=1><b>Do You Yahoo!?</b><br>
<a
href="http://rd.yahoo.com/careers/mailsig/new/*http://www.hotjobs.com">HotJobs,
a Yahoo! service</a> - Search Thousands of New Jobs
--0-467833925-1029342775=:98968--

On Wed, 14 Aug 2002, Eric wrote:
>  Well my first question is why do they deny loc to loc
I don''t understand your question -- if you add a policy 

	loc	loc	ACCEPT

then it loc to loc will be accepted.
> The next question what is DMZ zone?  I am running Two interface script
> on my system. Eth0 Internet Eth1 Loc Thanks.
>
A DMZ is a zone that is separated from both the internet and from the 
local zone by the firewall. It is used for internet-visible servers.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Thanks Tom
>>For that, you will have to have individual rules or place a rule in=20
>>/etc/shorewall/common that permits ssh.
Why can''t I define a zone in the host file such as:
all	eth1:0.0.0.0/0.0.0.0

beside is there not a zone called "all" already defined?
I saw one the whitelist doc being used in the policy file
like:
SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
ops		all	ACCEPT
all		ops	CONTINUE
loc		net	ACCEPT
net		all	DROP		info
all		all	REJECT	info
=20
Rgds
Dom


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: 12 August 2002 14:22
To: Cressatti, Dominique
Cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] question about zones


On Mon, 12 Aug 2002, Cressatti, Dominique wrote:
> 2 questions
> 1) I want to set up a zone of trusted IP addresses (opposite of blacklist),
> I''ve seen that question being asked in the mailing list before but
I haven''t seen
> any example.
> If want to set up a zone for IP addresses 195.X.X.1-2, do I have to setup
my host file like:
> =20
> trusted1    eth1:195.X.X.1
> trusted1    eth1:195.X.X.2
>
Yes (only you need to observe the 5-character limit on zone names) --
perhaps http://www.shorewall.net/whitelisting_under_shorewall.htm can help
you.
 =20
> 2) I want an "all" zone (for say I want to allow ssh access from
anywhere),
> do I set up my host file like:
> =20
For that, you will have to have individual rules or place a rule in=20
/etc/shorewall/common that permits ssh.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Tue, 20 Aug 2002, Cressatti, Dominique wrote:
> Thanks Tom
> 
> >>For that, you will have to have individual rules or place a rule in
> >>/etc/shorewall/common that permits ssh.
> 
> Why can''t I define a zone in the host file such as:
> all	eth1:0.0.0.0/0.0.0.0
>
Because "all" is a reserved word --
 
> beside is there not a zone called "all" already defined?
> I saw one the whitelist doc being used in the policy file
> like:
> SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
> ops		all	ACCEPT
> all		ops	CONTINUE
> loc		net	ACCEPT
> net		all	DROP		info
> all		all	REJECT	info
>  
Again, "all" is a reserved word -- it means "any host".

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Tue, 20 Aug 2002, Tom Eastep wrote:
> 
> Again, "all" is a reserved word -- it means "any host".
> 
In other words, the meaning of "all" is pre-defined by Shorewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net