Shorewall users - Apr 2002 - Hosts

I have a server behind a seperate hardware firewall.  The server handles
some requests from the local network (smb, web, and mail) and from the
internet (web & mail).  I have three zones defined for the server''s
single
interface; adm, loc, and net.  In the hosts file, I defined the first 2 like
this:

adm		eth0:192.168.0.10		routestopped
loc		eth0:192.168.0.0/24	routestopped

The adm zone is also filtered by mac in the rules since it gets access to
management tools (swat & webmin).  But incoming requests from my net zone,
which since undefined should default to (0.0.0.0/0) got dropped by my
all2all policy until I specified it in the hosts file like this:

net		eth0:0.0.0.0/0

Yes, I know my config is somewhat less than ideal, but I''ve got to make
do
with the hardware I have for now.  My point is that the zone defaults
mentioned in the docs DO need to be specified in the hosts file (at least in
this case).
>From the docs:
"If you don''t define any hosts for a zone, the hosts in the zone
default to
i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the
zone.

Note 1: You probably DON''T want to specify any hosts for your internet
zone
since the hosts that you specify will be the only ones that you will be able
to access without adding additional rules."

Or have I overlooked something?

While I''m at it, how can I deny rfc1918 ip''s in my net zone
and still accept
them in the others?  The only thing I''ve come up with is to filter
everything in loc by mac address too.


Sincerely,
Jim Hubbard

On Wed, 10 Apr 2002, Jim Hubbard wrote:
> I have a server behind a seperate hardware firewall.  The server handles
> some requests from the local network (smb, web, and mail) and from the
> internet (web & mail).  I have three zones defined for the
server''s single
> interface; adm, loc, and net.  In the hosts file, I defined the first 2
like
> this:
>
> adm		eth0:192.168.0.10		routestopped
> loc		eth0:192.168.0.0/24	routestopped
>
> The adm zone is also filtered by mac in the rules since it gets access to
> management tools (swat & webmin).  But incoming requests from my net
zone,
> which since undefined should default to (0.0.0.0/0) got dropped by my
> all2all policy until I specified it in the hosts file like this:
>
> net		eth0:0.0.0.0/0
>
> Yes, I know my config is somewhat less than ideal, but I''ve got to
make do
> with the hardware I have for now.  My point is that the zone defaults
> mentioned in the docs DO need to be specified in the hosts file (at least
in
> this case).
>
> From the docs:
> "If you don''t define any hosts for a zone, the hosts in the
zone default to
> i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to
the
> zone.
>
> Note 1: You probably DON''T want to specify any hosts for your
internet zone
> since the hosts that you specify will be the only ones that you will be
able
> to access without adding additional rules."
>
> Or have I overlooked something?
>
What do your ''zones'' and ''interfaces'' files
look like?
> While I''m at it, how can I deny rfc1918 ip''s in my net
zone and still accept
> them in the others?  The only thing I''ve come up with is to filter
> everything in loc by mac address too.
>
>
Why do you need to? Doesn''t your outer firewall already filter these?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Tom Eastep
> Sent: Wednesday, April 10, 2002 12:15 PM
> To: Jim Hubbard
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Hosts
>
>
> On Wed, 10 Apr 2002, Jim Hubbard wrote:
>
> > I have a server behind a seperate hardware firewall.  The server
handles
> > some requests from the local network (smb, web, and mail) and from the
> > internet (web & mail).  I have three zones defined for the
> server''s single
> > interface; adm, loc, and net.  In the hosts file, I defined the
> first 2 like
> > this:
> >
> > adm		eth0:192.168.0.10		routestopped
> > loc		eth0:192.168.0.0/24	routestopped
> >
> > The adm zone is also filtered by mac in the rules since it gets
> access to
> > management tools (swat & webmin).  But incoming requests from
> my net zone,
> > which since undefined should default to (0.0.0.0/0) got dropped by my
> > all2all policy until I specified it in the hosts file like this:
> >
> > net		eth0:0.0.0.0/0
> >
> > Yes, I know my config is somewhat less than ideal, but I''ve
got
> to make do
> > with the hardware I have for now.  My point is that the zone defaults
> > mentioned in the docs DO need to be specified in the hosts file
> (at least in
> > this case).
> >
> > From the docs:
> > "If you don''t define any hosts for a zone, the hosts in
the
> zone default to
> > i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the
> interfaces to the
> > zone.
> >
> > Note 1: You probably DON''T want to specify any hosts for your
> internet zone
> > since the hosts that you specify will be the only ones that you
> will be able
> > to access without adding additional rules."
> >
> > Or have I overlooked something?
> >
>
> What do your ''zones'' and ''interfaces''
files look like?
>
Actually, instead of the ip''s listed above I''ve defined them
as parameters
like this in "params"
ADM_IPS=192.168.0.10
LOC_IPS=192.168.0.0/24
NET_IPS=0.0.0.0/0

So my hosts file is actually:
#ZONE		HOST(S)		OPTIONS
adm		eth0:$ADM_IPS	routestopped
loc		eth0:$LOC_IPS	routestopped
net		eth0:$NET_IPS

I don''t know why I prefer it this way, it''s just less clutter
I guess.
Anyway here are zones & interfaces:

"zones"
#ZONE	DISPLAY		COMMENTS
adm	Admin		Local Administrator
loc	Local		Local Network
net	Net		Internet

"interfaces"
#ZONE	 INTERFACE	BROADCAST	OPTIONS
-	eth0		192.168.0.255	routestopped,multi,blacklist

> > While I''m at it, how can I deny rfc1918 ip''s in my
net zone and
> still accept
> > them in the others?  The only thing I''ve come up with is to
filter
> > everything in loc by mac address too.
> >
> >
>
> Why do you need to? Doesn''t your outer firewall already filter
these?
My outer hardware firewall (Netgear RO318) cannot block certain addresses on
the outside from getting in.  A port is either open to everyone (and
forwarded to the server) or it''s closed.  Curiously, I can restrict
ip''s on
the inside from accessing outside services.  Go figure.  Filtering loc by
mac wouldn''t be a big deal for me since we only have about 8 local
users.  I
was just wondering if there was a better way.


Sincerely,
Jim Hubbard

On Wed, 10 Apr 2002, Jim Hubbard wrote:
>
> Actually, instead of the ip''s listed above I''ve defined
them as parameters
> like this in "params"
> ADM_IPS=192.168.0.10
> LOC_IPS=192.168.0.0/24
> NET_IPS=0.0.0.0/0
>
> So my hosts file is actually:
> #ZONE		HOST(S)		OPTIONS
> adm		eth0:$ADM_IPS	routestopped
> loc		eth0:$LOC_IPS	routestopped
> net		eth0:$NET_IPS
>
> I don''t know why I prefer it this way, it''s just less
clutter I guess.
> Anyway here are zones & interfaces:
>
> "zones"
> #ZONE	DISPLAY		COMMENTS
> adm	Admin		Local Administrator
> loc	Local		Local Network
> net	Net		Internet
>
> "interfaces"
> #ZONE	 INTERFACE	BROADCAST	OPTIONS
> -	eth0		192.168.0.255	routestopped,multi,blacklist
>
Since you have used "-" as the zone for eth0 in the interfaces file,
you
have to define ''net'' somewhere and that
''somewhere'' is in the hosts file.
The documentation that you quoted about the zone contents defaulting to
all hosts interfacing through a set of interfaces doesn''t apply in this
case.
>
> > > While I''m at it, how can I deny rfc1918 ip''s in
my net zone and
> > still accept
> > > them in the others?  The only thing I''ve come up with is
to filter
> > > everything in loc by mac address too.
> > >
> > >
> >
> > Why do you need to? Doesn''t your outer firewall already
filter these?
>
> My outer hardware firewall (Netgear RO318) cannot block certain addresses
on
> the outside from getting in.  A port is either open to everyone (and
> forwarded to the server) or it''s closed.  Curiously, I can
restrict ip''s on
> the inside from accessing outside services.  Go figure.  Filtering loc by
> mac wouldn''t be a big deal for me since we only have about 8 local
users.  I
> was just wondering if there was a better way.
>
I don''t see where MAC filtering will help. What threat are you trying
to
protect yourself from?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> Since you have used "-" as the zone for eth0 in the interfaces
file, you
> have to define ''net'' somewhere and that
''somewhere'' is in the hosts file.
> The documentation that you quoted about the zone contents defaulting to
> all hosts interfacing through a set of interfaces doesn''t apply in
this
> case.
>
OK
>
> > While I''m at it, how can I deny rfc1918 ip''s in my
net zone and
> still accept
> > them in the others?  The only thing I''ve come up with is to
filter
> > everything in loc by mac address too.
> >
> I don''t see where MAC filtering will help. What threat are you
trying to
> protect yourself from?
>
> -Tom
MAC filtering my loc zone wouldn''t keep anyone out of say, my web
server,
but it just seems like anything I can do to make sure local users really are
who they say they are would be a good idea.  It would be neat if I could
restrict my net zone in my hosts file with something like:

net		eth0:0.0.0.0/0		norfc1918

or

net		eth0:!10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16

If not, then maybe this would be something worth adding?

Sincerely,
Jim