The version of Shorewall in the CVS development tree contains the first
implementation of dynamic zones. While these zones are aimed at IPSEC Road
Warriors, there is nothing ipsec-specific in the implementation except for
a small extension in the tunnels file.
There are two new commands: add and delete
shorewall {add|delete} <interface>[:<host or subnet>] zone
The interface must have been defined at the time that Shorewall was last
[re]started. If no host or subnet address is given, 0.0.0.0/0 is assumed.
When you add a host or subnet to a zone, Shorewall will NOT create rules
allowing that host/subnet to communicate with itself through the firewall.
To use this facility for ipsec road warriors:
a) Define a zone for each class of Road Warrior.
e.g.:
rw1 RW1 Road Warrior class 1
rw2 RW2 Road Warrior class 2
You can leave these zones empty -- Shorewall will issue a warning about
each of them at startup but these warnings are expected and can be safely
ignored.
b) Define the rules and policies for these zones normally.
c) In /etc/shorewall/interfaces, define the ipsec device(s) as multi-zoned.
e.g.:
- ipsec0 -
d) In /etc/shorewall/tunnels:
ipsec net 0.0.0.0/0 rw1,rw2
e) In your updown script, add the host to one of the RW zones at connect time:
e.g.:
shorewall add ipsec0:192.0.2.44 rw2
f) In your updown script, delete the host from the zone at disconnect time:
e.g.:
shorewall delete ipsec0:192.0.2.44 rw2
g) If shorewall is restarted (or stopped and started), the zone
configurations will revert to their original definitions -- dynamic
additions to zones are not saved between starts.
This has been lightly tested and I would appreciate it if those who are
interested in this type of facility would test further.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
