Shorewall users - Dec 2006 - nested/overlapping zones problem;

Hi!

I''ve read http://www.shorewall.net/Documentation.htm#Nested
and http://www.shorewall.net/Multiple_Zones.html#id2459430
but it is not clean to me.

I have one interface (eth0) which is connected do the world.
It means request can come from any address on this interface.
So - I cannot use parallel zones since I don''t want to define
the remaining zone (this one which catches addresses not
caught by other ones).

I''d like to define few zones on this interface:
1) World - the parent zone defined in /etc/shorewall/interfaces
2) Restricted - zone allowed to access HTTP(S);
3) Admins - zone allowed to access HTTP(S), SSH, VMwareConsole;
4) SuperAdmins - zone allowed to access almost all services;

I''ve tried to define above schema using nested zones - but it
seems to work improperly. Please notice that single IP address
might be a member of few zones (e.g. 1.2.3.4 may be defined
in both Admins and Restricted lines on /etc/shorewall/hosts).
Why? Because I want to matter about groups of users rather
about single services - that''s why I don''t want to have zone
"allowed to use HTTP", "allowed to use SSH".

How should I define zones where few of them are nested from one?
Let''s assume World zone is "home", Restricted is
"rest", Admins
is "admin" and SuperAdmins is "lamer".

/etc/shorewall/zones:
admin	ipv4
rest	ipv4
lamer	ipv4
home	ipv4

/etc/shorewall/interfaces:
home	eth0

/etc/shorewall/hosts:
rest	eth0:192.168.1.0/24
admin	eth0:192.168.1.7/32,192.168.1.3/32,192.168.1.77/32
lamer	eth0:192.168.1.7/32

/etc/shorewall/rules:
WWW/ACCEPT	rest	$FW
WWW/ACCEPT	admin	$FW
WWW/ACCEPT	lamer	$FW
SSH/ACCEPT	admin	$FW
SSH/ACCEPT	lamer	$FW

In my opinion above rules makes Shorewall switch to indeterministic
mode of operation - iptables rules are present but my defined rules
seems not to be running correct.

Should it work or not?

TIA;
AdamLis;


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Adam Lis wrote:
>
> Should it work or not?
>   
If you have read http://www.shorewall.net/Documentation.htm#Nested then
you know that the proper use of CONTINUE policies is key to making this
work. Yet you haven''t shown us your policy file so there is no way for
us to explain to you what your configuration is doing.


-Tom

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Adam Lis wrote:
>   
>> Should it work or not?
>>   
>>     
> If you have read http://www.shorewall.net/Documentation.htm#Nested then
> you know that the proper use of CONTINUE policies is key to making this
> work. Yet you haven''t shown us your policy file so there is no way
for
> us to explain to you what your configuration is doing.
>
>   
As always, it is also useful if we know what version of Shorewall you
are running.

-Tom


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV