Shorewall users - Aug 2006 - policy ordering when mixing interface zones and host defined zones

Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0.

This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk
with 6 VLANs and zones on it. I would like to allow one subnet
living out beyond the DMZ to have access to all zones on this firewall.

It seemed that creating a zone would allow for this to be done cleanly via
a line in the policy file. I defined this special subnet as the "sys"
zone.
To test I''m sending traffic from "sys" to "pubsh". 

The pkt goes through chain eth1_fwd then goes to
dmz2pubsh then goes to all2all where it is rejected
by the default all2all reject policy.

If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd
it would be caught by sys2all and be allowed. Is there some reordering
I can do to achieve such a result?

Hosts:
------
sys     eth1:111.111.111.0/24

Zones:
------
fw      firewall
# eth1
dmz     ipv4
sys     ipv4
# eth0
adm     ipv4
publr   ipv4
pubph   ipv4
pubsh   ipv4
stfph   ipv4
stfsh   ipv4

Policy:
-------
fw              all             ACCEPT
sys             all             ACCEPT
all             dmz             ACCEPT
dmz             fw              DROP            $LOG    10/sec:40
all             all             REJECT          $LOG    10/sec:40

Iptables:
---------
Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1265 93062 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
 1265 93062 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
 159K  112M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      eth1    0.0.0.0/0           
111.111.111.0/24
 9304 7397K dmz2adm    all  --  *      eth0.64  0.0.0.0/0            0.0.0.0/0
 1707  147K dmz2publr  all  --  *      eth0.7  0.0.0.0/0            0.0.0.0/0
    3   114 dmz2pubph  all  --  *      eth0.5  0.0.0.0/0            0.0.0.0/0
 7727 7081K dmz2pubsh  all  --  *      eth0.3  0.0.0.0/0            0.0.0.0/0
38620   32M dmz2stfph  all  --  *      eth0.4  0.0.0.0/0            0.0.0.0/0
 103K   66M dmz2stfsh  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0
    0     0 sys2all    all  --  *      eth1    111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.64  111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.7  111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.5  111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.3  111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.4  111.111.111.0/24     0.0.0.0/0
    0     0 sys2all    all  --  *      eth0.2  111.111.111.0/24     0.0.0.0/0

Chain all2all (49 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
  995  106K Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

-- 
Dale Bewley - Unix Administrator - Shields Library - UC Davis
GPG: 0xB098A0F3 0D5A 9AEB 43F4 F84C 7EFD  1753 064D 2583 B098 A0F3


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Dale Bewley wrote:
> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0.
> 
> This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk
> with 6 VLANs and zones on it. I would like to allow one subnet
> living out beyond the DMZ to have access to all zones on this firewall.
> 
> It seemed that creating a zone would allow for this to be done cleanly via
> a line in the policy file. I defined this special subnet as the
"sys" zone.
> To test I''m sending traffic from "sys" to
"pubsh".
> 
> The pkt goes through chain eth1_fwd then goes to
> dmz2pubsh then goes to all2all where it is rejected
> by the default all2all reject policy.
> 
> If the traffic fell out the bottom of dmz2pubsh and returned to eth1_fwd
> it would be caught by sys2all and be allowed. Is there some reordering
> I can do to achieve such a result?
>
You need to add a sys->all policy of CONTINUE.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Dale Bewley wrote:
>> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0.
>>
>> This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk
>> with 6 VLANs and zones on it. I would like to allow one subnet
>> living out beyond the DMZ to have access to all zones on this firewall.
>>
>> It seemed that creating a zone would allow for this to be done cleanly
via
>> a line in the policy file. I defined this special subnet as the
"sys" zone.
>> To test I''m sending traffic from "sys" to
"pubsh".
>>
>> The pkt goes through chain eth1_fwd then goes to
>> dmz2pubsh then goes to all2all where it is rejected
>> by the default all2all reject policy.
>>
>> If the traffic fell out the bottom of dmz2pubsh and returned to
eth1_fwd
>> it would be caught by sys2all and be allowed. Is there some reordering
>> I can do to achieve such a result?
>>
> 
> You need to add a sys->all policy of CONTINUE.
Check that -- you need to declare the sys zone before the dmz zone; see the
large comment at the top of the zones file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Tom Eastep wrote:
>> Dale Bewley wrote:
>>> Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0.
>>>
>>> This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk
>>> with 6 VLANs and zones on it. I would like to allow one subnet
>>> living out beyond the DMZ to have access to all zones on this
firewall.
>>>
>>> It seemed that creating a zone would allow for this to be done
cleanly via
>>> a line in the policy file. I defined this special subnet as the
"sys" zone.
>>> To test I''m sending traffic from "sys" to
"pubsh".
>>>
>>> The pkt goes through chain eth1_fwd then goes to
>>> dmz2pubsh then goes to all2all where it is rejected
>>> by the default all2all reject policy.
>>>
>>> If the traffic fell out the bottom of dmz2pubsh and returned to
eth1_fwd
>>> it would be caught by sys2all and be allowed. Is there some
reordering
>>> I can do to achieve such a result?
>>>
>> You need to add a sys->all policy of CONTINUE.
> 
> Check that -- you need to declare the sys zone before the dmz zone; see the
> large comment at the top of the zones file.
> 
Alternatively, you can declare ''sys'' explicitly to be a
sub-zone of
''dmz'' using the ''dmz:sys'' syntax in
/etc/shorewall/zones. The general
principle here is that the order in which zones are declared in
/etc/shorewall/zones determines the top-level order in which Shorewall
generates rules and applies policies. In Shorewall 3.0, the
''<sub-zone>:<parent-zone>[,...]'' syntax causes
Shorewall to internally
reorder the zone declaration order so that the sub-zone appears before
its parent(s).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, 2006-08-04 at 15:55 -0700, Tom Eastep wrote:
> Tom Eastep wrote:
> Alternatively, you can declare ''sys'' explicitly to be a
sub-zone of
> ''dmz'' using the ''dmz:sys'' syntax in
/etc/shorewall/zones. The general
> principle here is that the order in which zones are declared in
> /etc/shorewall/zones determines the top-level order in which Shorewall
> generates rules and applies policies. In Shorewall 3.0, the
> ''<sub-zone>:<parent-zone>[,...]'' syntax
causes Shorewall to internally
> reorder the zone declaration order so that the sub-zone appears before
> its parent(s).
Worked like a charm. Thanks so much!

-- 
Dale Bewley - Unix Administrator - Shields Library - UC Davis
GPG: 0xB098A0F3 0D5A 9AEB 43F4 F84C 7EFD  1753 064D 2583 B098 A0F3


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV