Considering this setup:
NET:eth3
^
|
+---|---+
| |ADM:eth1-10.2.0.1/16
| FW +--------------------> LAN-ADM
| |
+---+---+
|CORP:eth2:10.1.0.1/16
|
| +--------+ +--------+
| | BRANCH | | BRANCH |
+---+ OFFICE |-o-| OFFICE +-->LAN:SVP
| | ROUTER | | ROUTER |
| +--------+ +--------+
| 10.1.0.5 10.6.0.1
V
LAN:CORP
Hosts in SVP lan: GW 10.6.0.1
Hosts in CORP lan: GW 10.1.0.1
I suppose the better and easy way to handle SVP connections to/from
ADM/CORP/NET would be having another NIC in FW. In this setup, it''s a
''piece of cake''.
But, for now, I need to maintain the above setup.
I tried several different combinations, specially using/not using hosts
config file, with one/two broadcasts addresses in eth2, etc.
All conections to/from firewall and SVP hosts were Ok.
All attempts to access a host in CORP LAN (10.1.0.2) from SVP LAN
(10.6.0.252) returns
Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=10.1.0.2 DST=10.6.0.252
I tried in Policy "corp corp ACCEPT", "svp svp ACCEPT",
"corp svp ACCEPT",
"svp corp ACCEPT" or the equivalent in rules. No way.
I have the all zones combinations in policy file (fw,corp,svp,net,fw,all).
After putting ACCEPT in all combinations, the only way to permit the
connection (except Shorewall clear), was: "all all ACCEPT"
The log becomes: Shorewall:FORWARD:ACCEPT:IN=eth2 OUT=eth2 SRC=10.1.0.2
DST=10.6.0.252
---interfaces----
- eth2 detect routestopped,dhcp,blacklist,filterping,routefilter
---hosts---
corp eth2:10.1.0.0/16
svp eth2:10.6.0.0/16
---policy---
(all zones combinations are ACCEPT; net2... and all2... are REJECT)
------------------
Also tried not using hosts with interfaces file:
---interfaces----
- eth2 10.1.255.255,10.6.255.255
routestopped,dhcp,blacklist,filterping,routefilter
-----------------
I looked in documentation/mailing archive for a similar setup and I
didn''t
find. (Could this be a nested zone?)
What would be the best approach for zones/interfaces/hosts/policy ?
Do I miss something or it''s a design mistake ?
Thanks
-Gilson