LAN server, single ethernet interface. By defining two zones in the shorewall hosts file as: #ZONE HOST(S) OPTIONS one eth0:10.0.0.0/8 tcpflags,nosmurfs two eth0:10.1.0.0/16 tcpflags,nosmurfs Is this correct? Because zone "two" is a subnetwork of zone "one" will packets arriving from 10.1.0.0/16 addresses always be correctly processed? Is there a chance for the firewall to erroneously process a packet coming from zone "two" (by applying rules for zone "one"?). Does the order in which the zone are defined (in the hosts file or the zones file) make difference in this specific case? Thanks, bye, Marco ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Marco Romano wrote:> LAN server, single ethernet interface. > By defining two zones in the shorewall hosts file as: > > #ZONE HOST(S) OPTIONS > one eth0:10.0.0.0/8 tcpflags,nosmurfs > two eth0:10.1.0.0/16 tcpflags,nosmurfs > > Is this correct? > Because zone "two" is a subnetwork of zone "one" will packets arriving > from 10.1.0.0/16 addresses always be correctly processed? > Is there a chance for the firewall to erroneously process a packet > coming from zone "two" (by applying rules for zone "one"?). > Does the order in which the zone are defined (in the hosts file or the > zones file) make difference in this specific case?The order (in the zones file) makes a difference, but you should also tell shorewall that two is a subzone of one by specifying them in two:one format in the zones file. You can see which zone is being processed first by running shorewall show eth0_in or shorewall show eth0_fwd See http://www.shorewall.net/Documentation.htm#Zones for more information about zone ordering. -- Paul <http://paulgear.webhop.net> -- Did you know? The major music labels and on-line stores want to limit your rights to listen to music you have legitimately purchased. Find out more: http://iownmymusic.org/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Many thanks Paul, What if the nested zones are on different interfaces? In this case two is a subnet of one but is connected on a separate interface. Is it correct to define: zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall one ipv4 two:one ipv4 interfaces: #ZONE INTERFACE BROADCAST OPTIONS one eth0 detect routefilter,logmartians,tcpflags,nosmurfs two eth1 detect routefilter,logmartians,tcpflags,nosmurfs in this specific case the hosts file will remain empty. Thanks, Bye, Marco Paul Gear wrote:> Marco Romano wrote: > >> LAN server, single ethernet interface. >> By defining two zones in the shorewall hosts file as: >> >> #ZONE HOST(S) OPTIONS >> one eth0:10.0.0.0/8 tcpflags,nosmurfs >> two eth0:10.1.0.0/16 tcpflags,nosmurfs >> >> Is this correct? >> Because zone "two" is a subnetwork of zone "one" will packets arriving >> from 10.1.0.0/16 addresses always be correctly processed? >> Is there a chance for the firewall to erroneously process a packet >> coming from zone "two" (by applying rules for zone "one"?). >> Does the order in which the zone are defined (in the hosts file or the >> zones file) make difference in this specific case? >> > > The order (in the zones file) makes a difference, but you should also > tell shorewall that two is a subzone of one by specifying them in > two:one format in the zones file. > > You can see which zone is being processed first by running > shorewall show eth0_in > or shorewall show eth0_fwd > > See http://www.shorewall.net/Documentation.htm#Zones for more > information about zone ordering. > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Marco Romano wrote:> Many thanks Paul, > What if the nested zones are on different interfaces?If the zones are associated with different interfaces then by definition, they cannot be nested. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Thanks Tom, imagine we have eth0 with 10.1.0.0/16 and eth1 with 10.0.0.0/8. Of course in eth1 I will have all the 10.0.0.0/8 subnets except the 10.1.0.0/16 one because it is on eth0. But will shorewall understand this by just using its detectnets feature? Bye, Marco Tom Eastep wrote:> Marco Romano wrote: > >> Many thanks Paul, >> What if the nested zones are on different interfaces? >> > > If the zones are associated with different interfaces then by definition, > they cannot be nested. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Marco Romano wrote:> Thanks Tom, > imagine we have eth0 with 10.1.0.0/16 and eth1 with 10.0.0.0/8. > Of course in eth1 I will have all the 10.0.0.0/8 subnets except the > 10.1.0.0/16 one because it is on eth0. > But will shorewall understand this by just using its detectnets feature?Shorewall doesn''t even need the detectnets feature to ''understand'' that configuration. Consider the normal two-interface case: eth0 has 0.0.0.0/0 (net) eth1 has 10.1.0.0/16 (loc) 10.1.0.0/16 is a subnet of 0.0.0.0/0 -- your case is no different. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
You got right to the point! Thanks for your help Tom, Bye Marco Tom Eastep wrote:> Marco Romano wrote: > >> Thanks Tom, >> imagine we have eth0 with 10.1.0.0/16 and eth1 with 10.0.0.0/8. >> Of course in eth1 I will have all the 10.0.0.0/8 subnets except the >> 10.1.0.0/16 one because it is on eth0. >> But will shorewall understand this by just using its detectnets feature? >> > > Shorewall doesn''t even need the detectnets feature to ''understand'' that > configuration. > > Consider the normal two-interface case: > > eth0 has 0.0.0.0/0 (net) > eth1 has 10.1.0.0/16 (loc) > > 10.1.0.0/16 is a subnet of 0.0.0.0/0 -- your case is no different. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/