Shorewall users - Aug 2002 - multiple nested zones and continue policy

I''ve shuffled my config files a lot but can''t find a clue for
this:

I''ve a (Bering rc3) system with 3 interfaces and a number of zones:

eth0: net
eth1: loc, which includes user, admin, dummy as nested zones
eth2: dmz which includes dmz1 and dmz2 as nested zones

/etc/shorewall/hosts:
net          eth0:0.0.0.0/0

admin        eth1:192.168.1.100
user         eth1:192.168.1.0/24
dummy        eth1:192.168.2.0/24
loc          eth1:192.168.1.0/24,eth1:192.168.2.0/24

dmz1         eth2:192.168.0.0/25
dmz2         eth2:192.168.0.224/27
dmz          eth2:192.168.0.0/24

with this config I''d like to be able to specity general rules for the
loc zone=20
as a whole, hence including admin, user and dummy zones; the same for the=20
dmz, i.e. specifying=20

ACCEPT       loc   fw      tcp     8080
ACCEPT       dmz   loc     tcp     25

I''d like the rule to be applied to the nested zones, too.=20
The nested zones have other, specific rules specified, such as:

# Allow FTP transfers to admin
ACCEPT       admin   net     tcp     ftp

As you''ve noticed, some of the nested zones requires router
(initial)=20
intervention to talk each other (i.e dummy and user), so each nested zone=20
must be allowed connections from the "neighbourhoods".

Sound complicated, and I did not find a proper set of CONTINUE policies to
fit=20
this scenario. This is the last effort:

user  net   CONTINUE
user=09 dmz   CONTINUE
user=09 fw    CONTINUE
admin  net  CONTINUE
admin  dmz  CONTINUE
admin  fw   CONTINUE
dummy  net  CONTINUE
dummy  dmz  CONTINUE
dummy  fw=09   CONTINUE
loc    user   ACCCEPT
loc    admin  ACCEPT
loc    dummy  ACCEPT
loc    fw     REJECT
loc    dmz    ACCEPT
loc    loc    ACCEPT
fw     loc    ACCEPT
fw     dmz    ACCEPT

but either a sub-zone can''t be routed the another sub-zone, or the fw
can''t=20
talk to a sub-zone, or similar.=20

I can specify all zones pair, but I thought the CONTINUE policy could help me=20
a lot in being concise.

Am I missing the core functionality of the CONTINUE statement or I''m
only=20
missing some policy lines?

Thanks in advance

Luigi

On Wednesday 28 August 2002 08:43 am, Luigi Capriotti
wrote:
> I''ve shuffled my config files a lot but can''t find a clue
for this:
>
> I''ve a (Bering rc3) system with 3 interfaces and a number of
zones:
>
> eth0: net
> eth1: loc, which includes user, admin, dummy as nested zones
> eth2: dmz which includes dmz1 and dmz2 as nested zones
>
> /etc/shorewall/hosts:
> net          eth0:0.0.0.0/0
>
> admin        eth1:192.168.1.100
> user         eth1:192.168.1.0/24
> dummy        eth1:192.168.2.0/24
> loc          eth1:192.168.1.0/24,eth1:192.168.2.0/24
>
> dmz1         eth2:192.168.0.0/25
> dmz2         eth2:192.168.0.224/27
> dmz          eth2:192.168.0.0/24
>
> with this config I''d like to be able to specity general rules for
the loc
> zone as a whole, hence including admin, user and dummy zones; the same for
> the dmz, i.e. specifying
>
> ACCEPT       loc   fw      tcp     8080
> ACCEPT       dmz   loc     tcp     25
>
> I''d like the rule to be applied to the nested zones, too.
> The nested zones have other, specific rules specified, such as:
>
> # Allow FTP transfers to admin
> ACCEPT       admin   net     tcp     ftp
>
> As you''ve noticed, some of the nested zones requires router
(initial)
> intervention to talk each other (i.e dummy and user), so each nested zone
> must be allowed connections from the "neighbourhoods".
>
> Sound complicated, and I did not find a proper set of CONTINUE policies to
> fit this scenario. This is the last effort:
>
> user  net   CONTINUE
> user	 dmz   CONTINUE
> user	 fw    CONTINUE
> admin  net  CONTINUE
> admin  dmz  CONTINUE
> admin  fw   CONTINUE
> dummy  net  CONTINUE
> dummy  dmz  CONTINUE
> dummy  fw	   CONTINUE
> loc    user   ACCCEPT
> loc    admin  ACCEPT
> loc    dummy  ACCEPT
> loc    fw     REJECT
> loc    dmz    ACCEPT
> loc    loc    ACCEPT
> fw     loc    ACCEPT
> fw     dmz    ACCEPT
>
> but either a sub-zone can''t be routed the another sub-zone, or the
fw can''t
> talk to a sub-zone, or similar.
>
> I can specify all zones pair, but I thought the CONTINUE policy could help
> me a lot in being concise.
>
> Am I missing the core functionality of the CONTINUE statement or
I''m only
> missing some policy lines?
Without seeing your zones file, I can''t possibly tell you
what''s wrong. The
order of the zones in that file is critical when you have nexted zones.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net