Dale Bewley
2006-Aug-04 22:10 UTC
policy ordering when mixing interface zones and host defined zones
Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0. This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk with 6 VLANs and zones on it. I would like to allow one subnet living out beyond the DMZ to have access to all zones on this firewall. It seemed that creating a zone would allow for this to be done cleanly via a line in the policy file. I defined this special subnet as the "sys" zone. To test I''m sending traffic from "sys" to "pubsh". The pkt goes through chain eth1_fwd then goes to dmz2pubsh then goes to all2all where it is rejected by the default all2all reject policy. If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd it would be caught by sys2all and be allowed. Is there some reordering I can do to achieve such a result? Hosts: ------ sys eth1:111.111.111.0/24 Zones: ------ fw firewall # eth1 dmz ipv4 sys ipv4 # eth0 adm ipv4 publr ipv4 pubph ipv4 pubsh ipv4 stfph ipv4 stfsh ipv4 Policy: ------- fw all ACCEPT sys all ACCEPT all dmz ACCEPT dmz fw DROP $LOG 10/sec:40 all all REJECT $LOG 10/sec:40 Iptables: --------- Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 1265 93062 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 1265 93062 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 159K 112M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth1 0.0.0.0/0 111.111.111.0/24 9304 7397K dmz2adm all -- * eth0.64 0.0.0.0/0 0.0.0.0/0 1707 147K dmz2publr all -- * eth0.7 0.0.0.0/0 0.0.0.0/0 3 114 dmz2pubph all -- * eth0.5 0.0.0.0/0 0.0.0.0/0 7727 7081K dmz2pubsh all -- * eth0.3 0.0.0.0/0 0.0.0.0/0 38620 32M dmz2stfph all -- * eth0.4 0.0.0.0/0 0.0.0.0/0 103K 66M dmz2stfsh all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 0 0 sys2all all -- * eth1 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.64 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.7 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.5 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.3 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.4 111.111.111.0/24 0.0.0.0/0 0 0 sys2all all -- * eth0.2 111.111.111.0/24 0.0.0.0/0 Chain all2all (49 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 995 106K Reject all -- * * 0.0.0.0/0 0.0.0.0/0 -- Dale Bewley - Unix Administrator - Shields Library - UC Davis GPG: 0xB098A0F3 0D5A 9AEB 43F4 F84C 7EFD 1753 064D 2583 B098 A0F3 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2006-Aug-04 22:40 UTC
Re: policy ordering when mixing interface zones and host defined zones
Dale Bewley wrote:> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0. > > This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk > with 6 VLANs and zones on it. I would like to allow one subnet > living out beyond the DMZ to have access to all zones on this firewall. > > It seemed that creating a zone would allow for this to be done cleanly via > a line in the policy file. I defined this special subnet as the "sys" zone. > To test I''m sending traffic from "sys" to "pubsh". > > The pkt goes through chain eth1_fwd then goes to > dmz2pubsh then goes to all2all where it is rejected > by the default all2all reject policy. > > If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd > it would be caught by sys2all and be allowed. Is there some reordering > I can do to achieve such a result? >You need to add a sys->all policy of CONTINUE. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2006-Aug-04 22:43 UTC
Re: policy ordering when mixing interface zones and host defined zones
Tom Eastep wrote:> Dale Bewley wrote: >> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0. >> >> This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk >> with 6 VLANs and zones on it. I would like to allow one subnet >> living out beyond the DMZ to have access to all zones on this firewall. >> >> It seemed that creating a zone would allow for this to be done cleanly via >> a line in the policy file. I defined this special subnet as the "sys" zone. >> To test I''m sending traffic from "sys" to "pubsh". >> >> The pkt goes through chain eth1_fwd then goes to >> dmz2pubsh then goes to all2all where it is rejected >> by the default all2all reject policy. >> >> If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd >> it would be caught by sys2all and be allowed. Is there some reordering >> I can do to achieve such a result? >> > > You need to add a sys->all policy of CONTINUE.Check that -- you need to declare the sys zone before the dmz zone; see the large comment at the top of the zones file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2006-Aug-04 22:55 UTC
Re: policy ordering when mixing interface zones and host defined zones
Tom Eastep wrote:> Tom Eastep wrote: >> Dale Bewley wrote: >>> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0. >>> >>> This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk >>> with 6 VLANs and zones on it. I would like to allow one subnet >>> living out beyond the DMZ to have access to all zones on this firewall. >>> >>> It seemed that creating a zone would allow for this to be done cleanly via >>> a line in the policy file. I defined this special subnet as the "sys" zone. >>> To test I''m sending traffic from "sys" to "pubsh". >>> >>> The pkt goes through chain eth1_fwd then goes to >>> dmz2pubsh then goes to all2all where it is rejected >>> by the default all2all reject policy. >>> >>> If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd >>> it would be caught by sys2all and be allowed. Is there some reordering >>> I can do to achieve such a result? >>> >> You need to add a sys->all policy of CONTINUE. > > Check that -- you need to declare the sys zone before the dmz zone; see the > large comment at the top of the zones file. >Alternatively, you can declare ''sys'' explicitly to be a sub-zone of ''dmz'' using the ''dmz:sys'' syntax in /etc/shorewall/zones. The general principle here is that the order in which zones are declared in /etc/shorewall/zones determines the top-level order in which Shorewall generates rules and applies policies. In Shorewall 3.0, the ''<sub-zone>:<parent-zone>[,...]'' syntax causes Shorewall to internally reorder the zone declaration order so that the sub-zone appears before its parent(s). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Dale Bewley
2006-Aug-04 23:27 UTC
Re: policy ordering when mixing interface zones and host defined zones
On Fri, 2006-08-04 at 15:55 -0700, Tom Eastep wrote:> Tom Eastep wrote: > Alternatively, you can declare ''sys'' explicitly to be a sub-zone of > ''dmz'' using the ''dmz:sys'' syntax in /etc/shorewall/zones. The general > principle here is that the order in which zones are declared in > /etc/shorewall/zones determines the top-level order in which Shorewall > generates rules and applies policies. In Shorewall 3.0, the > ''<sub-zone>:<parent-zone>[,...]'' syntax causes Shorewall to internally > reorder the zone declaration order so that the sub-zone appears before > its parent(s).Worked like a charm. Thanks so much! -- Dale Bewley - Unix Administrator - Shields Library - UC Davis GPG: 0xB098A0F3 0D5A 9AEB 43F4 F84C 7EFD 1753 064D 2583 B098 A0F3 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV