Ama Kalu
2003-Nov-21 09:15 UTC
[Shorewall-users] How to Deny NET traffic and permit WAN traffic
Dear All,
I have a WAN I want to secure with shorewall. It has the following topology:
Six subnets 192.168.x.0/24 where x is 2, 3, 4, 5, 6, 7; each subnet has the
gateway 192.168.x.1 on its local interface eth1.
On the outbound interface of each subnet respectively 172.16.172.2/29,
172.16.172.10/29, 172.16.172.18/29, 172.16.172.26/29, 172.16.172.34/29,
172.16.172.42/29. Each protected by a dual interface Shorewall installation.
All subnets interconnect and reach the net through a gateway on another subnet
192.168.8.2/30. This subnet has a 3 interface shorewall installation according
to the following diagram.
(Subnets 192.168.x.0, x=1, 2, 3, 4, 5, 6)
subnet subnet subnet subnet subnet subnet
|2 |3 |4 |5 |6 |7
| | | | | |
| | | | | |
[+] [+] [+] [+] [+] [+]
/// /// /// /// /// ///
| | | | | |
+---------+---------+---[+]---+---------+---------+
|
|192.168.8.1
|
|
|
|
|loc (eth1:192.168.8.2)
|
[+]--------------DMZ (eth2:192.168.9.0)
|
/////
|
|
net (eth0:xxx.xxx.xxx.xxx)
My aim is to allow all packets from all subnets to all other subnets unhindered.
To this end I have defined a zone called WAN in each subnet that contains all
hosts not in that location. It all works but this is what I don?t understand.
1.In the rules file of each subnet:
This FAILS to allow the desired traffic
ACCEPT wan loc tcp ports...
ACCEPT wan loc udp ports...
This WORKS to allow the desired traffic
ACCEPT net:subnet1,subnet2... loc tcp ports...
ACCEPT net:subnet1,subnet2... loc udp ports...
Why does the first fail, am I doing something wrong?
2.Is there a better scheme to accomplish or OPTIMIZE this kind of setting?
3.Your site says you use ProxyARP and I have read posts where you recommend it,
is there any security issues I should be aware of?
Thanks you for your time, and thanks for all the work you have put into
Shorewall. The flexibility is legendary.
Ama
p/s
Once again a thousand apologies Tom. I have also condensed the earlier mail and
made it clearer with the drawing. I hope it comes out well.
Tom Eastep
2003-Nov-21 10:18 UTC
[Shorewall-users] How to Deny NET traffic and permit WAN traffic
My answers depend on information sent to me privately. On Fri, 2003-11-21 at 09:15, Ama Kalu wrote:> 1.In the rules file of each subnet: > > This FAILS to allow the desired traffic > > ACCEPT wan loc tcp ports... > ACCEPT wan loc udp ports... > > This WORKS to allow the desired traffic > > ACCEPT net:subnet1,subnet2... loc tcp ports... > ACCEPT net:subnet1,subnet2... loc udp ports... > > Why does the first fail, am I doing something wrong?Yes -- you have ''net'' defined before ''wan'' in the /etc/shorewall/zones file yet you are trying to make ''wan'' a subzone of ''net''. See http://shorewall.net/Multiple_Zones.html.> > 2.Is there a better scheme to accomplish or OPTIMIZE this kind of setting?Yes -- you are overspecify the zones terribly. Most of the /etc/shorewall/hosts entries appear to be completely unnecessary given that this is a private network. You don''t show the /etc/shorewall/interfaces file -- hopefully it has "-" in the ZONE column for all entries.> > 3.Your site says you use ProxyARP and I have read posts where you recommend it, > is there any security issues I should be aware of?Not that I''m aware of. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net