Shorewall users - Mar 2005 - Simple question about zones (haven''t found in FAQ)

Hello everybody:

Here is my "network layout":

                 ISP1         ISP2
                  |            |
                  |            |
           +-----eth0---------eth1------+
           |                            |
           | FC 3 box                   |
           |                            |
           +-----eth2---------eth3------+
                  |             |
                  |             |
          LAN with ISP1''s   LAN with ISP2''s
          IP addr. range    IP addr. range

Thats it :-).

Every packet from eth2 should go to ISP1 via eth0 and the same is
for eth3-eth1 pair. Very simple. My question is: when I''m trying
to define rules for packets arriving to fw itself from ISP1 or ISP2,
what should I write as "fw" in /etc/shorewall/rules file? Say,
I''d
like to accept all packets to fw''s port 80 which are coming from
ISP1 and the same I''d like for eth1. What is the meaning of
"fw"
in that case? Since there are two IPs which are point to outside,
which one of them will be "fw"? Or both? I can''t
understand...

Thanks a lot. Sorry if my question is too dumb... :-)

--
MNV-UANIC/RIPE

Nick Mashchenko wrote:
> Hello everybody:
> 
> Here is my "network layout":
> 
>                  ISP1         ISP2
>                   |            |
>                   |            |
>            +-----eth0---------eth1------+
>            |                            |
>            | FC 3 box                   |
>            |                            |
>            +-----eth2---------eth3------+
>                   |             |
>                   |             |
>           LAN with ISP1''s   LAN with ISP2''s
>           IP addr. range    IP addr. range
> 
> Thats it :-).
> 
> Every packet from eth2 should go to ISP1 via eth0 and the same is
> for eth3-eth1 pair. Very simple. My question is: when I''m trying
> to define rules for packets arriving to fw itself from ISP1 or ISP2,
> what should I write as "fw" in /etc/shorewall/rules file? 
It depends on how you define zones relative to eth0 and eth1. If you
define zone ''net'' to include both interfaces then rules that
accept
traffic from ''net'' to ''fw'' apply to both
interfaces. If you want it to
apply to only one interface then you must qualify ''fw'' with
the IP
address of that interface (e.g., "fw:<ip of eth0>).

If you make ISP1 and ISP2 separate zones (net1 and net2) then rules that
accept traffice from ''net1'' to ''fw'' clearly
apply only to ISP1.

-Tom
-- 
Tom Eastep    \ Off-list replies are cheerfully ignored
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello, Tom.
>> Here is my "network layout":
>> 
>>                  ISP1         ISP2
>>                   |            |
>>                   | 1.1.1.1    | 3.3.3.3
>>            +-----eth0---------eth1------+
>>            |                            |
>>            | FC 3 box                   |
>>            |                            |
>>            +-----eth2---------eth3------+
>>                   | 2.2.2.2/28  | 4.4.4.4/28
>>                   |             |
>>           LAN with ISP1''s   LAN with ISP2''s
>>           IP addr. range    IP addr. range
>> 
>> Thats it :-).
>> 
>> Every packet from eth2 should go to ISP1 via eth0 and the same is
>> for eth3-eth1 pair. Very simple. My question is: when I''m
trying
>> to define rules for packets arriving to fw itself from ISP1 or ISP2,
>> what should I write as "fw" in /etc/shorewall/rules file? 
> It depends on how you define zones relative to eth0 and eth1. If you
> define zone ''net'' to include both interfaces
No. Separate zones for each of eth0 and eth1.
> then rules that accept traffic from ''net'' to
''fw'' apply to both
> interfaces. If you want it to apply to only one interface then you
> must qualify ''fw'' with the IP address of that interface
> (e.g., "fw:<ip of eth0>).
> If you make ISP1 and ISP2 separate zones (net1 and net2) then rules that
> accept traffice from ''net1'' to ''fw''
clearly apply only to ISP1.
I defined zones net1 for ISP1 and net2 for ISP2. Let us think that
ISP1 gave me IP of 1.1.1.1 and I''ve attached it to eth0. Also they
gave me network of 2.2.2.2/28 and that network is on eth2. ISP2
gave me IP of 3.3.3.3 and that IP is on eth1, network 4.4.4.4/28
is on eth3. Now I''d like to do like that:

ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means 1.1.1.1,
ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means 3.3.3.3.

Is it right, that to realize the above I''ve to define zones as
fw1:1.1.1.1 and fw2:3.3.3.3?
If yes, what file in /etc/shorewall should I use?

May be, this section in shorewall.conf?

# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string,
"fw"
# is assumed.
#
FW=fw

Or, may be, /etc/zhorewall/zones:

fw1:1.1.1.1        fw1-net1      ISP1
fw2:3.3.3.3        fw2-net2      ISP2

I can''t understand what exactly should I write (and where).

Thanks a lot.

--
MNV-UANIC/RIPE

> >> Here is my "network layout":
> >> 
> >>                  ISP1         ISP2
> >>                   |            |
> >>                   | 1.1.1.1    | 3.3.3.3
> >>            +-----eth0---------eth1------+
> >>            |                            |
> >>            | FC 3 box                   |
> >>            |                            |
> >>            +-----eth2---------eth3------+
> >>                   | 2.2.2.2/28  | 4.4.4.4/28
> >>                   |             |
> >>           LAN with ISP1''s   LAN with ISP2''s
> >>           IP addr. range    IP addr. range
> >> 
> >> Thats it :-).
> >> 
> >> Every packet from eth2 should go to ISP1 via eth0 and the same is
> >> for eth3-eth1 pair. Very simple. My question is: when I''m
trying
> >> to define rules for packets arriving to fw itself from ISP1 or
ISP2,
> >> what should I write as "fw" in /etc/shorewall/rules
file?
ACCEPT  net1  fw  tcp  http

This will ACCEPT http connections hitting your firewall coming in by
ISP1. This does NOT allow http connections by the ISP2 line...

> > It depends on how you define zones relative to eth0 and eth1. If you
> > define zone ''net'' to include both interfaces
> 
> No. Separate zones for each of eth0 and eth1.
> 
> > then rules that accept traffic from ''net'' to
''fw'' apply to both
> > interfaces. If you want it to apply to only one interface then you
> > must qualify ''fw'' with the IP address of that
interface
> > (e.g., "fw:<ip of eth0>).
> 
> > If you make ISP1 and ISP2 separate zones (net1 and net2) then rules
that
> > accept traffice from ''net1'' to
''fw'' clearly apply only to ISP1.
> 
> I defined zones net1 for ISP1 and net2 for ISP2. Let us think that
> ISP1 gave me IP of 1.1.1.1 and I''ve attached it to eth0. Also they
> gave me network of 2.2.2.2/28 and that network is on eth2. ISP2
> gave me IP of 3.3.3.3 and that IP is on eth1, network 4.4.4.4/28
> is on eth3. Now I''d like to do like that:
> 
> ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means 1.1.1.1,
> ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means 3.3.3.3.
If you got official IP ranges for your local machines (like 2.2.2.2/28),
seeing the above example you ain''t gonna use em, right? Cause the
example above will accept connections from ISP1 with destination 1.1.1.1
(your firewall). It doesn''t even mention the IP range you got assigned
by ISP1.

If you actually want to allow traffic coming from eth0 (ISP1) to access
the servers on your 2.2.2.2/28 range, the above zone fw1 could be named
better and the comment would be wrong...

ACCEPT  net1  loc1  tcp  http   # allow connections to the bunch of
                                # webservers on 2.2.2.2/28


Which IP addresses will be used for the servers? 1.1.1.1 and 3.3.3.3
only, with all services living on your firewall?

> Is it right, that to realize the above I''ve to define zones as
> fw1:1.1.1.1 and fw2:3.3.3.3?
> If yes, what file in /etc/shorewall should I use?
> 
> May be, this section in shorewall.conf?
> 
> # NAME OF THE FIREWALL ZONE
> #
> # Name of the firewall zone -- if not set or if set to an empty string,
"fw"
> # is assumed.
> #
> FW=fw
No, you very likely don''t want to change this. This is your firewall
itself.

> Or, may be, /etc/zhorewall/zones:
> 
> fw1:1.1.1.1        fw1-net1      ISP1
> fw2:3.3.3.3        fw2-net2      ISP2
> 
> I can''t understand what exactly should I write (and where).
That''s not the purpose of the zones file, seems like you''re
mixing this
up with the interfaces file?

Anyway, did you read the QuickStart Guides?

This is confusing me... ;)

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

Hello:

You wrote at 1 марта 2005 г., 22:47:56:
>> >> Here is my "network layout":
>> >> 
>> >>                  ISP1         ISP2
>> >>                   |            |
>> >>                   | 1.1.1.1    | 3.3.3.3
>> >>            +-----eth0---------eth1------+
>> >>            |                            |
>> >>            | FC 3 box                   |
>> >>            |                            |
>> >>            +-----eth2---------eth3------+
>> >>                   | 2.2.2.2/28  | 4.4.4.4/28
>> >>                   |             |
>> >>           LAN with ISP1''s   LAN with ISP2''s
>> >>           IP addr. range    IP addr. range
>> >> 
>> >> Thats it :-).
>> >> 
>> >> Every packet from eth2 should go to ISP1 via eth0 and the same
is
>> >> for eth3-eth1 pair. Very simple. My question is: when
I''m trying
>> >> to define rules for packets arriving to fw itself from ISP1 or
ISP2,
>> >> what should I write as "fw" in /etc/shorewall/rules
file?
> ACCEPT  net1  fw  tcp  http
> This will ACCEPT http connections hitting your firewall coming in by
> ISP1. This does NOT allow http connections by the ISP2 line...
>> > It depends on how you define zones relative to eth0 and eth1. If
you
>> > define zone ''net'' to include both interfaces
>> 
>> No. Separate zones for each of eth0 and eth1.
>> 
>> > then rules that accept traffic from ''net'' to
''fw'' apply to both
>> > interfaces. If you want it to apply to only one interface then you
>> > must qualify ''fw'' with the IP address of that
interface
>> > (e.g., "fw:<ip of eth0>).
>> 
>> > If you make ISP1 and ISP2 separate zones (net1 and net2) then
rules that
>> > accept traffice from ''net1'' to
''fw'' clearly apply only to ISP1.
>> 
>> I defined zones net1 for ISP1 and net2 for ISP2. Let us think that
>> ISP1 gave me IP of 1.1.1.1 and I''ve attached it to eth0. Also
they
>> gave me network of 2.2.2.2/28 and that network is on eth2. ISP2
>> gave me IP of 3.3.3.3 and that IP is on eth1, network 4.4.4.4/28
>> is on eth3. Now I''d like to do like that:
>> 
>> ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means
1.1.1.1,
>> ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means
3.3.3.3.
> If you got official IP ranges for your local machines (like 2.2.2.2/28),
> seeing the above example you ain''t gonna use em, right? Cause the
> example above will accept connections from ISP1 with destination 1.1.1.1
> (your firewall). It doesn''t even mention the IP range you got
assigned
> by ISP1.
> If you actually want to allow traffic coming from eth0 (ISP1) to access
> the servers on your 2.2.2.2/28 range, the above zone fw1 could be named
> better and the comment would be wrong...
> ACCEPT  net1  loc1  tcp  http   # allow connections to the bunch of
>                                 # webservers on 2.2.2.2/28
> Which IP addresses will be used for the servers? 1.1.1.1 and 3.3.3.3
> only, with all services living on your firewall?
Forget about 2.2.2./28 and 4.4.4.4/28 :-).

Think that all I want is this:

ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means 1.1.1.1,
ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means 3.3.3.3.

The only thing I want to understand is how to assign zone fw1 to
eth0 and zone fw2 to eth1. Thats all :-).
> Anyway, did you read the QuickStart Guides?
Yes :-). BTW, I use Shorewall since 2000 :-). This means that I''ve
read FAQ/doc etc several times (including carefully reading today).
May be I just didn''t find an answer, but it exist somewhere in
FAQ/docs...

--
MNV-UANIC/RIPE

Hello:

You wrote at 2 марта 2005 г., 11:01:49:
> You wrote at 1 марта 2005 г., 22:47:56:
>>> >> Here is my "network layout":
>>> >> 
>>> >>                  ISP1         ISP2
>>> >>                   |            |
>>> >>                   | 1.1.1.1    | 3.3.3.3
>>> >>            +-----eth0---------eth1------+
>>> >>            |                            |
>>> >>            | FC 3 box                   |
>>> >>            |                            |
>>> >>            +-----eth2---------eth3------+
>>> >>                   | 2.2.2.2/28  | 4.4.4.4/28
>>> >>                   |             |
>>> >>           LAN with ISP1''s   LAN with
ISP2''s
>>> >>           IP addr. range    IP addr. range
>>> >> 
>>> >> Thats it :-).
>>> >> 
>>> >> Every packet from eth2 should go to ISP1 via eth0 and the
same is
>>> >> for eth3-eth1 pair. Very simple. My question is: when
I''m trying
>>> >> to define rules for packets arriving to fw itself from
ISP1 or ISP2,
>>> >> what should I write as "fw" in
/etc/shorewall/rules file?
>> ACCEPT  net1  fw  tcp  http
>> This will ACCEPT http connections hitting your firewall coming in by
>> ISP1. This does NOT allow http connections by the ISP2 line...
>>> > It depends on how you define zones relative to eth0 and eth1.
If you
>>> > define zone ''net'' to include both interfaces
>>> 
>>> No. Separate zones for each of eth0 and eth1.
>>> 
>>> > then rules that accept traffic from ''net'' to
''fw'' apply to both
>>> > interfaces. If you want it to apply to only one interface then
you
>>> > must qualify ''fw'' with the IP address of
that interface
>>> > (e.g., "fw:<ip of eth0>).
>>> 
>>> > If you make ISP1 and ISP2 separate zones (net1 and net2) then
rules that
>>> > accept traffice from ''net1'' to
''fw'' clearly apply only to ISP1.
>>> 
>>> I defined zones net1 for ISP1 and net2 for ISP2. Let us think that
>>> ISP1 gave me IP of 1.1.1.1 and I''ve attached it to eth0.
Also they
>>> gave me network of 2.2.2.2/28 and that network is on eth2. ISP2
>>> gave me IP of 3.3.3.3 and that IP is on eth1, network 4.4.4.4/28
>>> is on eth3. Now I''d like to do like that:
>>> 
>>> ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means
1.1.1.1,
>>> ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means
3.3.3.3.
>> If you got official IP ranges for your local machines (like
2.2.2.2/28),
>> seeing the above example you ain''t gonna use em, right? Cause
the
>> example above will accept connections from ISP1 with destination
1.1.1.1
>> (your firewall). It doesn''t even mention the IP range you got
assigned
>> by ISP1.
>> If you actually want to allow traffic coming from eth0 (ISP1) to access
>> the servers on your 2.2.2.2/28 range, the above zone fw1 could be named
>> better and the comment would be wrong...
>> ACCEPT  net1  loc1  tcp  http   # allow connections to the bunch of
>>                                 # webservers on 2.2.2.2/28
>> Which IP addresses will be used for the servers? 1.1.1.1 and 3.3.3.3
>> only, with all services living on your firewall?
> Forget about 2.2.2./28 and 4.4.4.4/28 :-).
> Think that all I want is this:
> ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means 1.1.1.1,
> ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means 3.3.3.3.
> The only thing I want to understand is how to assign zone fw1 to
> eth0 and zone fw2 to eth1. Thats all :-).
>> Anyway, did you read the QuickStart Guides?
> Yes :-). BTW, I use Shorewall since 2000 :-). This means that I''ve
> read FAQ/doc etc several times (including carefully reading today).
> May be I just didn''t find an answer, but it exist somewhere in
FAQ/docs...
Probably I should sorry for that post...

I can write this in /etc/shorewall/zones:

fw1  eth0  broadcast  <options>
fw2  eth1  broadcast  <options>

Then I''ll get what I want: two zones assigned to appropriate ifaces.

However, in this case, what does mean "fw"?
Which iface "belongs" to this zone?

--
MNV-UANIC/RIPE

[...]
> >> Which IP addresses will be used for the servers? 1.1.1.1 and
3.3.3.3
> >> only, with all services living on your firewall?
> 
> > Forget about 2.2.2./28 and 4.4.4.4/28 :-).
> 
> > Think that all I want is this:
> 
> > ACCEPT  net1  fw1  tcp  http   # Here zone "fw1" means
1.1.1.1,
> > ACCEPT  net2  fw2  tcp  http   # and zone "fw2" means
3.3.3.3.
As 1.1.1.1 is an IP address of your firewall, and therefore already is
part of your firewall zone, you are making this more complicated than it
needs to be.

ACCEPT  net1  fw:1.1.1.1  tcp  http

This rule will ACCEPT connections from ISP1 (via zone net1) to the IP
1.1.1.1 (yes, your firewall) only.

There is no need to create a zone, which basically is only one of the IP
addresses of your firewall. See the Rules documentation, especially the
part about DEST.

  http://shorewall.net/Documentation.htm#Rules

> > The only thing I want to understand is how to assign zone fw1 to
> > eth0 and zone fw2 to eth1. Thats all :-).
> 
> >> Anyway, did you read the QuickStart Guides?
> 
> > Yes :-). BTW, I use Shorewall since 2000 :-). This means that
I''ve
> > read FAQ/doc etc several times (including carefully reading today).
> > May be I just didn''t find an answer, but it exist somewhere
in FAQ/docs...
> 
> Probably I should sorry for that post...
Well, you should have sent it to the list, rather than to me
personally. ;-)

> I can write this in /etc/shorewall/zones:
> 
> fw1  eth0  broadcast  <options>
> fw2  eth1  broadcast  <options>
No, you can''t. This is interfaces syntax, not zones.

  http://shorewall.net/Documentation.htm#Interfaces
  http://shorewall.net/Documentation.htm#Zones

> Then I''ll get what I want: two zones assigned to appropriate
ifaces.
Uhm, isn''t zone net1 already your interface eth0?

> However, in this case, what does mean "fw"?
> Which iface "belongs" to this zone?
Now you lost me again...

I don''t have an effin clue, what "fw" as in "fw1"
means to you. You came
up with that name. You answer me... ;)


As I mentioned above, I don''t think you want zones here anyways. You
want single IPs. So just qualify the proper zone with the IP. The rules
will then match only for those IPs inside the zone, not all IPs of that
zone. (Where "proper zone" in this case means fw, cause it *is* your
firewall, no?)

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

Please, keep this thread on the mailing list, unless you really want to
talk to me privately.


On Wed, 2005-03-02 at 15:40 +0200, Nick Mashchenko
wrote:
> Hello Karsten
> 
> You wrote at 02.03.2005, 15:21:
> 
> > ACCEPT  net1  fw:1.1.1.1  tcp  http
> 
> > This rule will ACCEPT connections from ISP1 (via zone net1) to the IP
> > 1.1.1.1 (yes, your firewall) only.
> 
> > There is no need to create a zone, which basically is only one of the
IP
> > addresses of your firewall. See the Rules documentation, especially
the
> > part about DEST.
> 
> >   http://shorewall.net/Documentation.htm#Rules
> 
> >> Probably I should sorry for that post...
> 
> > Well, you should have sent it to the list, rather than to me
> > personally. ;-)
> 
> It was a mistake... :-)
> 
> >> I can write this in /etc/shorewall/zones:
> >> 
> >> fw1  eth0  broadcast  <options>
> >> fw2  eth1  broadcast  <options>
> 
> > No, you can''t. This is interfaces syntax, not zones.
> 
> Yes, yes, in "interfaces"... Stupid miss-writing... :-)
> And, btw, 100% bullshit (these two lines above) :-).
> 
> > As I mentioned above, I don''t think you want zones here
anyways. You
> > want single IPs. So just qualify the proper zone with the IP. The
rules
> > will then match only for those IPs inside the zone, not all IPs of
that
> > zone. (Where "proper zone" in this case means fw, cause it
*is* your
> > firewall, no?)
> 
> Ok. So, zone "fw" includes all ifaces at the firewall box, right?
> If yes, then:
> 
> /etc/shorewall/zones:
> net1    net1    ISP1
> net2    net2    ISP2
> 
> /etc/shorewall/interfaces:
> fw      eth0    detect
> fw      eth1    detect
> 
> /etc/shorewall/rules:
> ACCEPT  fw:1.1.1.1      tcp     http
> ACCEPT  fw:2.2.2.2      tcp     http
> 
> Right?
No. The above isn''t even correct syntax. Please, read the links I
mentioned in my previous post *carefully*.

* interfaces:  Do no redefine the fw zone. It already is defined by
default. eth0 is your net1 zone anyway...

* rules:  So what don''t you like about the rule I mentioned before?


Gotto run, back later...

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

Hello Karsten

You wrote at 02.03.2005, 16:17:
> Please, keep this thread on the mailing list, unless you really want to
> talk to me privately.
> On Wed, 2005-03-02 at 15:40 +0200, Nick Mashchenko wrote:
>> Hello Karsten
>> 
>> You wrote at 02.03.2005, 15:21:
>> 
>> > ACCEPT  net1  fw:1.1.1.1  tcp  http
>> 
>> > This rule will ACCEPT connections from ISP1 (via zone net1) to the
IP
>> > 1.1.1.1 (yes, your firewall) only.
>> 
>> > There is no need to create a zone, which basically is only one of
the IP
>> > addresses of your firewall. See the Rules documentation,
especially the
>> > part about DEST.
>> 
>> >   http://shorewall.net/Documentation.htm#Rules
>> 
>> >> Probably I should sorry for that post...
>> 
>> > Well, you should have sent it to the list, rather than to me
>> > personally. ;-)
>> 
>> It was a mistake... :-)
>> 
>> >> I can write this in /etc/shorewall/zones:
>> >> 
>> >> fw1  eth0  broadcast  <options>
>> >> fw2  eth1  broadcast  <options>
>> 
>> > No, you can''t. This is interfaces syntax, not zones.
>> 
>> Yes, yes, in "interfaces"... Stupid miss-writing... :-)
>> And, btw, 100% bullshit (these two lines above) :-).
>> 
>> > As I mentioned above, I don''t think you want zones here
anyways. You
>> > want single IPs. So just qualify the proper zone with the IP. The
rules
>> > will then match only for those IPs inside the zone, not all IPs of
that
>> > zone. (Where "proper zone" in this case means fw, cause
it *is* your
>> > firewall, no?)
>> 
>> Ok. So, zone "fw" includes all ifaces at the firewall box,
right?
>> If yes, then:
>> 
>> /etc/shorewall/zones:
>> net1    net1    ISP1
>> net2    net2    ISP2
>> 
>> /etc/shorewall/interfaces:
>> fw      eth0    detect
>> fw      eth1    detect
>> 
>> /etc/shorewall/rules:
>> ACCEPT  fw:1.1.1.1      tcp     http
>> ACCEPT  fw:2.2.2.2      tcp     http
>> 
>> Right?
> No. The above isn''t even correct syntax. Please, read the links I
> mentioned in my previous post *carefully*.
> * interfaces:  Do no redefine the fw zone. It already is defined by
> default. eth0 is your net1 zone anyway...
> * rules:  So what don''t you like about the rule I mentioned
before?
I apoligize for my dumbness... :-)
Don''t even imagine whats up with my head today...
One stupid error after another... :-(

So...

zones:
net1    isp1-net        ISP1 inet
net2    isp2-net        ISP2 inet

interfaces:
net1    eth0            detect          <options>
net2    eth1            detect          <options>

rules:
ACCEPT  net1            fw:1.1.1.1      tcp     http
ACCEPT  net2            fw:3.3.3.3      tcp     http

Correct?

If yes, please explain, what is zone "fw"?
Which IP/ifaces/etc does it include?

--
MNV-UANIC/RIPE

Nick Mashchenko wrote:
> 
> I can write this in /etc/shorewall/zones:
> 
> fw1  eth0  broadcast  <options>
> fw2  eth1  broadcast  <options>
Surely not in /etc/shorewall/zones -- that looks like an entry in
/etc/shorewall/interfaces but in that case:

fw1 = all hosts whose traffic enters your firewall through eth0.
fw2 = all hosts whose traffic enters your firewall through eth0.

This would be the way in which you would define your ''net1''
and ''net2''
zones.
> 
> Then I''ll get what I want: two zones assigned to appropriate
ifaces.
> 
> However, in this case, what does mean "fw"?
> Which iface "belongs" to this zone?
> 
$FW IS NOT ASSOCIATED WITH AN INTERFACE!!!! It stands for "All programs
(including the operating system) running in the Firewall system".

When you define loc->fw rules, you don''t have this confusion do you?
Then why do you have it when you are dealing with your two ISP zones? To
Shorewall, there is no difference at all between zones EXCEPT FOR $FW (fw).

-Tom
-- 
Tom Eastep    \ Off-list replies are cheerfully ignored
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> >> Ok. So, zone "fw" includes all ifaces at the firewall
box, right?
> >> If yes, then:
> >> 
> >> /etc/shorewall/zones:
> >> net1    net1    ISP1
> >> net2    net2    ISP2
> >> 
> >> /etc/shorewall/interfaces:
> >> fw      eth0    detect
> >> fw      eth1    detect
> >> 
> >> /etc/shorewall/rules:
> >> ACCEPT  fw:1.1.1.1      tcp     http
> >> ACCEPT  fw:2.2.2.2      tcp     http
> >> 
> >> Right?
> 
> > No. The above isn''t even correct syntax. Please, read the
links I
> > mentioned in my previous post *carefully*.
> 
> > * interfaces:  Do no redefine the fw zone. It already is defined by
> > default. eth0 is your net1 zone anyway...
> 
> > * rules:  So what don''t you like about the rule I mentioned
before?
> 
> I apoligize for my dumbness... :-)
> Don''t even imagine whats up with my head today...
> One stupid error after another... :-(
> 
> So...
> 
> zones:
> net1    isp1-net        ISP1 inet
> net2    isp2-net        ISP2 inet
> 
> interfaces:
> net1    eth0            detect          <options>
> net2    eth1            detect          <options>
> 
> rules:
> ACCEPT  net1            fw:1.1.1.1      tcp     http
> ACCEPT  net2            fw:3.3.3.3      tcp     http
> 
> Correct?
Yes, the above snippets do look right.

Well, at least if I understand correctly, what you are after. ;)
Basically this means, that the webserver listening on 1.1.1.1:80 can be
accessed routed via ISP1 only. Similar for ISP2. (see below)

> If yes, please explain, what is zone "fw"?
> Which IP/ifaces/etc does it include?
Additionally to the custom defined zones, Shorewall also recognizes the
firewall system as its own zone -- by default, the firewall itself is
known as fw.

So fw really is just a zone, which is *limited* to anything that is your
firewall itself. And it is *everything* that is your firewall. No
interfaces involved.

You can use this zone to describe your firewall machine as source or
destination for connections and how to handle them.


If net1 and net2 really are ISPs, and your IPs 1.1.1.1 and 3.3.3.3 are
public, I don''t really see why you want to limit the connections to the
IPs rather than fw only. Cause every single machine out there can access
both IPs, even if they are located at the "other" ISPs network. The
routing outside your system should take care of this. Thus slighly
simpler and less confusing rules like below should have the same effect,
IMHO:

ACCEPT  net1  fw  tcp  http

Of course, anyone feel free to correct me, in case I overlooked any
valid reason why to limit to the IP...

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

Hello:

You wrote at 02.03.2005, 18:01:

>> >> Ok. So, zone "fw" includes all ifaces at the
firewall box, right?
>> >> If yes, then:
>> >> 
>> >> /etc/shorewall/zones:
>> >> net1    net1    ISP1
>> >> net2    net2    ISP2
>> >> 
>> >> /etc/shorewall/interfaces:
>> >> fw      eth0    detect
>> >> fw      eth1    detect
>> >> 
>> >> /etc/shorewall/rules:
>> >> ACCEPT  fw:1.1.1.1      tcp     http
>> >> ACCEPT  fw:2.2.2.2      tcp     http
>> >> 
>> >> Right?
>> 
>> > No. The above isn''t even correct syntax. Please, read the
links I
>> > mentioned in my previous post *carefully*.
>> 
>> > * interfaces:  Do no redefine the fw zone. It already is defined
by
>> > default. eth0 is your net1 zone anyway...
>> 
>> > * rules:  So what don''t you like about the rule I
mentioned before?
>> 
>> I apoligize for my dumbness... :-)
>> Don''t even imagine whats up with my head today...
>> One stupid error after another... :-(
>> 
>> So...
>> 
>> zones:
>> net1    isp1-net        ISP1 inet
>> net2    isp2-net        ISP2 inet
>> 
>> interfaces:
>> net1    eth0            detect          <options>
>> net2    eth1            detect          <options>
>> 
>> rules:
>> ACCEPT  net1            fw:1.1.1.1      tcp     http
>> ACCEPT  net2            fw:3.3.3.3      tcp     http
>> 
>> Correct?
> Yes, the above snippets do look right.
> Well, at least if I understand correctly, what you are after. ;)
> Basically this means, that the webserver listening on 1.1.1.1:80 can be
> accessed routed via ISP1 only. Similar for ISP2. (see below)
>> If yes, please explain, what is zone "fw"?
>> Which IP/ifaces/etc does it include?
> Additionally to the custom defined zones, Shorewall also recognizes the
> firewall system as its own zone -- by default, the firewall itself is
> known as fw.
> So fw really is just a zone, which is *limited* to anything that is your
> firewall itself. And it is *everything* that is your firewall. No
> interfaces involved.
> You can use this zone to describe your firewall machine as source or
> destination for connections and how to handle them.
> If net1 and net2 really are ISPs, and your IPs 1.1.1.1 and 3.3.3.3 are
> public, I don''t really see why you want to limit the connections
to the
> IPs rather than fw only. Cause every single machine out there can access
> both IPs, even if they are located at the "other" ISPs network.
The
> routing outside your system should take care of this. Thus slighly
> simpler and less confusing rules like below should have the same effect,
> IMHO:
> ACCEPT  net1  fw  tcp  http
> Of course, anyone feel free to correct me, in case I overlooked any
> valid reason why to limit to the IP...
Karsten and Tom, thank you so much for explaining.

In my network, there are couple of boxes which have ISP1''s IP
addresses and couple that have ISP2''s IP addresses. These two group
are totally independent. First group works only via ISP1 and second
one only via ISP2. Of course, some box with IP of ISP2 can send it''s
packets to the first group (they have IP from ISP1). And "receiver"
of such a packet will answer also via ISP1 (and then the "answer"
will be forwarded to the originator by routing outhere). That means
I''ve to implement policy routing there. Actually, there is Cisco
7505 at the moment, which acts as border router. And we want to re-
place it with Linux. Not so easy as I thought before :-).

--
MNV-UANIC/RIPE