Hello, I don''t fully understand the concept of zones vs multiple subnets. When do you use different zones and when do you simply add multiple subnets to the same interface. Or is it that you have to do both or none? My setup is as follows: I am using a vpn/firewall connected to the Internet This vpn server will accept incoming vpn connections for 192.168.5.0/24. On the internal or local interface of the vpn server I have a Bering box with Shorewall. The net interface for Shorewall and the local interface for the vpn server is 192.168.1.0/24. How does the Shorewall net interface need to be setup to accept connections from the vpn server? It will see both 192.168.5.0/24 and whatever else comes through at that interface. Does a new zone need to be created? What is the setup? I have gone through the documentation as well as the list but have missed the answer. Any suggestions would be appreciated. TIA
On Sun, 26 Oct 2003, ALParada wrote:> I don''t fully understand the concept of zones vs multiple subnets. When > do you use different zones and when do you simply add multiple subnets > to the same interface. Or is it that you have to do both or none? My > setup is as follows: >a) If all traffic to/from a given interface is to be treated the same, use one zone. b) If a subset of the hosts that connect through an interface have substantially different firewalling requirements than the others then it makes sense to make that subset it''s own zone. Just remember to define the subzone before the superzone in /etc/shorewall/zones.> I am using a vpn/firewall connected to the Internet This vpn server will > accept incoming vpn connections for 192.168.5.0/24. On the internal or > local interface of the vpn server I have a Bering box with Shorewall. > The net interface for Shorewall and the local interface for the vpn > server is 192.168.1.0/24. How does the Shorewall net interface need to > be setup to accept connections from the vpn server?There is no requirement to do *anything* in Shorewall. You must set up your routing correctly on the Firewall to route VPN traffic through the VPN server.> It will see both 192.168.5.0/24 and whatever else comes through at that > interface.You have one of those amazing computers with eyes (that can "see")?> Does a new zone need to be created?No.> What is the setup?We don''t have enough information to advise you since you haven''t told us what the firewalling requirements are.> I have gone through the documentation as well as the list but have > missed the answer.That''s because there is no "one size fits all" answer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Sunday, October 26, 2003 7:27 PM Subject: Re: [Shorewall-users] multiple interfaces> On Sun, 26 Oct 2003, ALParada wrote: > > > I don''t fully understand the concept of zones vs multiple subnets.When> > do you use different zones and when do you simply add multiplesubnets> > to the same interface. Or is it that you have to do both or none?My> > setup is as follows: > > > > a) If all traffic to/from a given interface is to be treated the same,use> one zone. > > b) If a subset of the hosts that connect through an interface have > substantially different firewalling requirements than the others thenit> makes sense to make that subset it''s own zone. Just remember to definethe> subzone before the superzone in /etc/shorewall/zones. > > > I am using a vpn/firewall connected to the Internet This vpn serverwill> > accept incoming vpn connections for 192.168.5.0/24. On the internalor> > local interface of the vpn server I have a Bering box withShorewall.> > The net interface for Shorewall and the local interface for the vpn > > server is 192.168.1.0/24. How does the Shorewall net interface needto> > be setup to accept connections from the vpn server? > > There is no requirement to do *anything* in Shorewall. You must set up > your routing correctly on the Firewall to route VPN traffic throughthe> VPN server.What I meant to say was: Should a separate zone be setup for vpn users? The routing at the vpn server is not an issue nor are the rules at Shorewall.> > > It will see both 192.168.5.0/24 and whatever else comes through atthat> > interface. > > You have one of those amazing computers with eyes (that can "see")?I have a new prototype xray computer. Haven''t you heard of it? :-)> > > Does a new zone need to be created? > > No.Are you saying I can setup something like this: ACCEPT net:192.168.5.0 loc all and be done with it?> > > What is the setup? > > We don''t have enough information to advise you since you haven''t toldus> what the firewalling requirements are. > > > I have gone through the documentation as well as the list but have > > missed the answer. > > That''s because there is no "one size fits all" answer. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Sun, 26 Oct 2003, ALParada wrote:> > What I meant to say was: Should a separate zone be setup for vpn users? > The routing at the vpn server is not an issue nor are the rules at > Shorewall. >The only reason for having more than one zone in ANY Shorewall configuration is to make the rules easier to write. If the rules aren''t an issue then there is NO issue that can cause you to create a vpn zone.> > > > > > It will see both 192.168.5.0/24 and whatever else comes through at > that > > > interface. > > > > You have one of those amazing computers with eyes (that can "see")? > > I have a new prototype xray computer. Haven''t you heard of it? :-) > > > > > > Does a new zone need to be created? > > > > No. > > Are you saying I can setup something like this: > > ACCEPT net:192.168.5.0 loc all > > > and be done with it?Yes, Only I think you want "192.168.5.0/24" and you probably want to accept traffic initiated in the other direction as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net