Shorewall users - Dec 2004 - parallel zone: loc2 is composition of loc1

On Fri, 2004-12-10 at 22:07 +0100, newsnews@swissonline.ch
wrote:
> i have no idea how to definie for a parallel zone the host file if the
> second zone (net) should be the composition of the first zone (dmz).
I think you mean "compliment" rather than "composition".
> i tried all the following combinations in the interface and host files:
> 
> interface:
> -   eth0   -                                (variante 1)
> -   eth0   192.168.0.255,255,255,255,255    (variante 2)
> -   eth0   192.168.0.255,!192.168.0.255     (variante 3)
> 
> hosts:
> dmz   eth0:192.168.0.0/24   maclist
> net   eth0:0.0.0.0/0        norfc1918       (variante 1)
> net   eth0:!192.168.0.0/24  norfc1918       (variante 2)
> net   !eth0:192.168.0.0/24  norfc1918       (variante 3)
/etc/shorewall/zones: THE ORDER IS IMPORTANT!!!!!!!!!!!!!!

dmz	DMZ		The DMZ
net	Internet	The big bad Internet

/etc/shorewall/interfaces:

net	eth0	detect	...

/etc/shorewall/hosts:

dmz	eth0:192.168.0.0/24	...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Fri, 2004-12-10 at 22:42 +0100, newsnews@swissonline.ch
wrote:
> Tom Eastep wrote:
> > On Fri, 2004-12-10 at 22:07 +0100, newsnews@swissonline.ch wrote:
> > 
> >>i have no idea how to definie for a parallel zone the host file if
the
> >>second zone (net) should be the composition of the first zone
(dmz).
> > 
> > 
> > I think you mean "compliment" rather than
"composition".
> 
> as a not nativ english oo programmer ...
> 
> > /etc/shorewall/zones: THE ORDER IS IMPORTANT!!!!!!!!!!!!!!
> > 
> > dmz	DMZ		The DMZ
> > net	Internet	The big bad Internet
> > 
> > /etc/shorewall/interfaces:
> > 
> > net	eth0	detect	...
> > 
> > /etc/shorewall/hosts:
> > 
> > dmz	eth0:192.168.0.0/24	...
> > 
> 
> but i want the compliment and not dmz as a part of net.
So long as you don''t use CONTINUE policies or rules, that''s
what the
above will do.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

i have no idea how to definie for a parallel zone the host file if the
second zone (net) should be the composition of the first zone (dmz).
i tried all the following combinations in the interface and host files:

interface:
-   eth0   -                                (variante 1)
-   eth0   192.168.0.255,255,255,255,255    (variante 2)
-   eth0   192.168.0.255,!192.168.0.255     (variante 3)

hosts:
dmz   eth0:192.168.0.0/24   maclist
net   eth0:0.0.0.0/0        norfc1918       (variante 1)
net   eth0:!192.168.0.0/24  norfc1918       (variante 2)
net   !eth0:192.168.0.0/24  norfc1918       (variante 3)

the documentation say that its possible to build the composition of an
interface (!eth0), a network !(192.168.0.0) and ... if i use the
variante 1 and 2 from interface and variante 1 from host there are no
configuration problems but dmz will also be part of net. variante 3 in
interface and variante 2 and 3 in host doesnt work (configuration
problem). i see in the trace that a ! would be not splittet from the
interface, network, ... for iptables. I know the faq 14, wich is not the
solution for my problem - but a solution for my problem whould also be a
solution for faq 14.

Now how can i define net as a composition of dmz? I use the version
2.0.10 an its run on debian.

On Fri, 2004-12-10 at 22:55 +0100, newsnews@swissonline.ch
wrote:
> Tom Eastep wrote:
> >>>
> >>
> >>but i want the compliment and not dmz as a part of net.
> > 
> > 
> > So long as you don''t use CONTINUE policies or rules,
that''s what the
> > above will do.
> > 
> 
> but i dont use CONTINUE policies or rules. but i have also two 
> additional simple zones and interfaces without interaction with eth0 or 
> net, dmz. can be this the problem?
What problem are you having?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Fri, 2004-12-10 at 13:20 -0800, Tom Eastep wrote:
> On Fri, 2004-12-10 at 22:55 +0100, newsnews@swissonline.ch wrote:
> > Tom Eastep wrote:
> > >>>
> > >>
> > >>but i want the compliment and not dmz as a part of net.
> > > 
> > > 
> > > So long as you don''t use CONTINUE policies or rules,
that''s what the
> > > above will do.
> > > 
> > 
> > but i dont use CONTINUE policies or rules. but i have also two 
> > additional simple zones and interfaces without interaction with eth0
or
> > net, dmz. can be this the problem?
> 
> What problem are you having?
Or did you mean "can this be *a* problem?"? -- if so, the answer is
no;
that will not be a problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Fri, 2004-12-10 at 22:07 +0100, newsnews@swissonline.ch wrote:
> 
>>i have no idea how to definie for a parallel zone the host file if the
>>second zone (net) should be the composition of the first zone (dmz).
> 
> 
> I think you mean "compliment" rather than
"composition".
as a not nativ english oo programmer ...
> /etc/shorewall/zones: THE ORDER IS IMPORTANT!!!!!!!!!!!!!!
> 
> dmz	DMZ		The DMZ
> net	Internet	The big bad Internet
> 
> /etc/shorewall/interfaces:
> 
> net	eth0	detect	...
> 
> /etc/shorewall/hosts:
> 
> dmz	eth0:192.168.0.0/24	...
> 
but i want the compliment and not dmz as a part of net. if i add the 
option norfc1918 to net in interfaces and nothing for dmz in hosts and 
than ping from a dmz computer the fw i get rfc1918 drops instead all2all 
rejects - wich is my standard (all all reject). the faq 14 say how to 
resolve this but i want splitted dmz and net. if this is possible?

--
apri

On Fri, 2004-12-10 at 23:21 +0100, newsnews@swissonline.ch
wrote:
> Tom Eastep wrote:
> > On Fri, 2004-12-10 at 22:55 +0100, newsnews@swissonline.ch wrote:
> > 
> >>Tom Eastep wrote:
> >>
> >>>>but i want the compliment and not dmz as a part of net.
> >>>
> >>>
> >>>So long as you don''t use CONTINUE policies or rules,
that''s what the
> >>>above will do.
> >>>
> >>
> >>but i dont use CONTINUE policies or rules. but i have also two 
> >>additional simple zones and interfaces without interaction with
eth0 or
> >>net, dmz. can be this the problem?
> > 
> > 
> > What problem are you having?
> > 
> 
> if i ping from a dmz computer to the fw i get rfc1918 drops instead 
> all2all rejects. this indicate me that dmz and net are not independent 
> how you said.  in the interface file i gave net the option norfc1918, in 
> the host file i gave the dmz NO option norfc1918 only maclist!!!
A) If you place ''norfc1918'' on the interface, it means that
all traffic
from the interface will be screened. It has nothing to do with the
definition of the zone mentioned in the ZONE column! So if you want to
put ''norfc1918'' in the interface file, then you must:

	1) Copy /usr/share/shorewall/rfc1918 to /etc/shorewall
	2) Modify /etc/shorewall/rfc1918 to exclude 192.168.0.0/24.

B) The documentation clearly states that in the /etc/shorewall/hosts
file, ''norfc1918'' only makes sense if the HOST(S) entry
specifies a
bridge port.

Put another way, ''rfc1918'' is an attribute of a network
interface and
not a zone; it does not help define a zone in any way.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Fri, 2004-12-10 at 22:42 +0100, newsnews@swissonline.ch wrote:
> 
>>Tom Eastep wrote:
>>
>>>/etc/shorewall/zones: THE ORDER IS IMPORTANT!!!!!!!!!!!!!!
>>>
>>>dmz	DMZ		The DMZ
>>>net	Internet	The big bad Internet
>>>
>>>/etc/shorewall/interfaces:
>>>
>>>net	eth0	detect	...
>>>
>>>/etc/shorewall/hosts:
>>>
>>>dmz	eth0:192.168.0.0/24	...
>>>
>>
>>but i want the compliment and not dmz as a part of net.
> 
> 
> So long as you don''t use CONTINUE policies or rules,
that''s what the
> above will do.
> 
but i dont use CONTINUE policies or rules. but i have also two 
additional simple zones and interfaces without interaction with eth0 or 
net, dmz. can be this the problem?

Tom Eastep wrote:
> On Fri, 2004-12-10 at 22:55 +0100, newsnews@swissonline.ch wrote:
> 
>>Tom Eastep wrote:
>>
>>>>but i want the compliment and not dmz as a part of net.
>>>
>>>
>>>So long as you don''t use CONTINUE policies or rules,
that''s what the
>>>above will do.
>>>
>>
>>but i dont use CONTINUE policies or rules. but i have also two 
>>additional simple zones and interfaces without interaction with eth0 or 
>>net, dmz. can be this the problem?
> 
> 
> What problem are you having?
> 
if i ping from a dmz computer to the fw i get rfc1918 drops instead 
all2all rejects. this indicate me that dmz and net are not independent 
how you said.  in the interface file i gave net the option norfc1918, in 
the host file i gave the dmz NO option norfc1918 only maclist!!!

Tom Eastep wrote:
> On Fri, 2004-12-10 at 23:21 +0100, newsnews@swissonline.ch wrote:
> 
>>Tom Eastep wrote:
>>
>>>On Fri, 2004-12-10 at 22:55 +0100, newsnews@swissonline.ch wrote:
>>>
>>>
>>>>Tom Eastep wrote:
>>>>
>>>>
>>>>>>but i want the compliment and not dmz as a part of net.
>>>>>
>>>>>
>>>>>So long as you don''t use CONTINUE policies or
rules, that''s what the
>>>>>above will do.
>>>>>
>>>>
>>>>but i dont use CONTINUE policies or rules. but i have also two 
>>>>additional simple zones and interfaces without interaction with
eth0 or
>>>>net, dmz. can be this the problem?
>>>
>>>
>>>What problem are you having?
>>>
>>
>>if i ping from a dmz computer to the fw i get rfc1918 drops instead 
>>all2all rejects. this indicate me that dmz and net are not independent 
>>how you said.  in the interface file i gave net the option norfc1918, in
>>the host file i gave the dmz NO option norfc1918 only maclist!!!
> 
> 
> A) If you place ''norfc1918'' on the interface, it means
that all traffic
> from the interface will be screened. It has nothing to do with the
> definition of the zone mentioned in the ZONE column! So if you want to
> put ''norfc1918'' in the interface file, then you must:
> 
> 	1) Copy /usr/share/shorewall/rfc1918 to /etc/shorewall
> 	2) Modify /etc/shorewall/rfc1918 to exclude 192.168.0.0/24.
> 
> B) The documentation clearly states that in the /etc/shorewall/hosts
> file, ''norfc1918'' only makes sense if the HOST(S) entry
specifies a
> bridge port.
> 
> Put another way, ''rfc1918'' is an attribute of a network
interface and
> not a zone; it does not help define a zone in any way.
> 
> -Tom
thank you for the replies. i was thinking in this direction but i 
couldnt believe it till now.

--
apri