Shorewall users - May 2002 - Shorewall overlapping zone problem

Hi,

I have a serious problem with shorewall 1.2.6:

I have a loc type zone and a free zone ( some computers in the loc zone )
with=20
full access to all zones. (defined with host file )

I have added :

free all  ACCEPT

BUT Shorewall isolate my "free" subzone in the FORWARD and OUTPUT
CHAIN.
"free" is able to connect anything BUT the reverse path is blocked due
to the=20
fact that this stub zone do not follow the parent zone''s rules. (I mean
=20
ZoneX -> loc ACCEPT is not applied to my sub zone "free" )


Each other zone is blocked by rules !!! but loc is able to do more=20

->The  problem is: A subzone DO NOT follow rules applied to parent zone !!=20
Exept in INPUT CHAIN. I think you should implement a notion of subzone aka=20
"children" who follow parent rules and aka "isolated" to
restrict a=20
subzone....

Hi,

I have a serious problem with shorewall 1.2.6:

I have a loc type zone and a free zone ( some computers in the loc zone )
 with full access to all zones. (defined with host file )

I have added :

free all  ACCEPT

BUT Shorewall isolate my "free" subzone in the FORWARD and OUTPUT
CHAIN.
"free" is able to connect anything BUT the reverse path is blocked due
to the
fact that this stub zone do not follow the parent zone''s rules. (I mean
ZoneX -> loc ACCEPT is not applied to my sub zone "free" )


Each other zone is blocked by rules !!! but loc is able to do more

->The  problem is: A subzone DO NOT follow rules applied to parent zone !!
Exept in INPUT CHAIN. I think you should implement a notion of subzone aka
"children" who follow parent rules and aka "isolated" to
restrict a
subzone....

Hi,


I have a serious problem with shorewall 1.2.6:


I have a loc type zone and a free zone ( some computers in the loc zone )
with=20
full access to all zones. (defined with host file )


I have added :


free all  ACCEPT


BUT Shorewall isolate my "free" subzone in the FORWARD and OUTPUT
CHAIN.
"free" is able to connect anything BUT the reverse path is blocked due
to the=20
fact that this stub zone do not follow the parent zone''s rules. (I mean
=20
ZoneX -> loc ACCEPT is not applied to my sub zone "free" )



Each other zone is blocked by rules !!! but loc is able to do more=20


->The  problem is: A subzone DO NOT follow rules applied to parent zone !!=20
Exept in INPUT CHAIN. I think you should implement a notion of subzone aka=20
"children" who follow parent rules and aka "isolated" to
restrict a=20
subzone....

On Wed, 29 May 2002, Alain Degreffe wrote:
> 
> Hi,
> 
> 
> I have a serious problem with shorewall 1.2.6:
> 
> 
> I have a loc type zone and a free zone ( some computers in the loc zone )
with
> full access to all zones. (defined with host file )
> 
> 
> I have added :
> 
> 
> free all  ACCEPT
> 
> 
> BUT Shorewall isolate my "free" subzone in the FORWARD and OUTPUT
CHAIN.
> "free" is able to connect anything BUT the reverse path is
blocked due to the
> fact that this stub zone do not follow the parent zone''s rules. (I
mean
> ZoneX -> loc ACCEPT is not applied to my sub zone "free" )
> 
> 
> 
> Each other zone is blocked by rules !!! but loc is able to do more 
> 
>
What is the order of ''free'' and ''loc'' in
your /etc/shorewall/zones file?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Le Mercredi 29 Mai 2002 15:04, vous avez =E9crit :
> On Wed, 29 May 2002, Alain Degreffe wrote:
> > Hi,
> >
> >
> > I have a serious problem with shorewall 1.2.6:
> >
> >
> > I have a loc type zone and a free zone ( some computers in the loc
zone )
> > with full access to all zones. (defined with host file )
> >
> >
> > I have added :
> >
> >
> > free all  ACCEPT
> >
> >
> > BUT Shorewall isolate my "free" subzone in the FORWARD and
OUTPUT CHAIN.
> > "free" is able to connect anything BUT the reverse path is
blocked due to
> > the fact that this stub zone do not follow the parent zone''s
rules. (I
> > mean ZoneX -> loc ACCEPT is not applied to my sub zone
"free" )
> >
> >
> >
> > Each other zone is blocked by rules !!! but loc is able to do more
>
> What is the order of ''free'' and ''loc''
in your /etc/shorewall/zones file?
This is not the problem !

A usefull information: my design

Internet1---------\       /---------- "loc" ( "free" sub
zone)
                   Shorewell
internet2---------/       \---------- "jail" (eth)
                /
                --------------ipsectunnel on internet =3D"extranet" 
zone


In our case, i woud like

1.restric loc to firewall(proxy server/shorewall ) and extranet
2.to permit all access to free


The script make "for zone in $zone"  and this work well but in any
case ,
 look the FORWARD chain and you''ll see that any subzone is treated like
 another one

1. take the zone
2. walk trought policies
3. for any combination no described in the policy file, the script add a
matching for all2all chain ( and of course , the forward is blocked )

The "continue" policy is not very usefull if you only use policy to
define
special acces to a sub zone....

I really think that the sub zone is not usable... The script never look for a
parent zone.

I explain the process in the both case ( free before loc and loc before look
 ) 1. free before loc

Well free is able to do what is defined in the policy/rule file but in the
forward CHAIN , all access to free zone is locked and all2all is matched
before extranet2loc

2.loc before free

all2all is matched before free2jail

Any suggestion ?
> -Tom

On Wed, 29 May 2002, Alain Degreffe wrote:
> >
> > What is the order of ''free'' and
''loc'' in your /etc/shorewall/zones file?
>
> This is not the problem !
>
> A usefull information: my design
>
> Internet1---------\       /---------- "loc" ( "free"
sub zone)
>                    Shorewell
> internet2---------/       \---------- "jail" (eth)
>                 /
>                 --------------ipsectunnel on internet ="extranet"
zone
>
>
> In our case, i woud like
>
> 1.restric loc to firewall(proxy server/shorewall ) and extranet
> 2.to permit all access to free
>
>
> The script make "for zone in $zone"  and this work well but in
any case ,
>  look the FORWARD chain and you''ll see that any subzone is treated
like
>  another one
>
> 1. take the zone
> 2. walk trought policies
> 3. for any combination no described in the policy file, the script add a
> matching for all2all chain ( and of course , the forward is blocked )
>
> The "continue" policy is not very usefull if you only use policy
to define
> special acces to a sub zone....
>
> I really think that the sub zone is not usable... The script never look for
a
> parent zone.
>
> I explain the process in the both case ( free before loc and loc before
look
>  ) 1. free before loc
>
> Well free is able to do what is defined in the policy/rule file but in the
> forward CHAIN , all access to free zone is locked and all2all is matched
> before extranet2loc
>
> 2.loc before free
>
> all2all is matched before free2jail
>
> Any suggestion ?
>
Yes -- please tar up your /etc/shorewall directory and send it to me along
with the output of "shorewall status" -- I can''t make any
sense of your
report without it.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Alain,

Did you send me your configuration? I''ve not seen it yet...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Thu, 30 May 2002, Tom Eastep wrote:
> Alain,
> 
> Did you send me your configuration? I''ve not seen it yet...
> 
> -Tom
> 
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net