Shorewall users - Jan 2012 - child and parent zones (or dynamic zones as well?)

I''ve got my network logically divided by the last octet of the IP
address.

1-9 = reserved for temporary testing systems ONLY
10-63 = reserved for infrastructure devices ("routers", switches, APs,
etc.)
64-127 = reserved for dedicated servers (everything is going virtual.  
one vmachine per service!)
128-250 = reserved for user devices.  Phones, game consoles, laptops and 
desktops.  The wifi is secured using wpa2-eap-tls and the switch is 
secured using radius-eap-tls.
251-254 are reserved for routers. (254 is the currently provided router 
IP address from DHCP, 253 was used for testing prior to implementation, 
and 251 and 252 are virtual load balancing routers)
so I have some zones.  lan, for all of my /24, and some sub zones.  
here''s my zones file and my hosts file (vpn isn''t implemented
right now,
I''m mid-upgrades):

fw      firewall
wan     ipv4
lan     ipv4
vpn     ipsec
rts:lan ipv4
srv:lan ipv4
usr:lan ipv4
inf:lan  ipv4
tst:lan ipv4

vpn     eth0:10.0.129.0/24                      ipsec,broadcast,routeback
vpn     eth1:10.0.128.0/24                      ipsec,broadcast,routeback
rts     eth0:10.0.0.254,10.0.0.251,10.0.0.252,10.0.0.253
srv     eth0:10.0.0.65/26
usr     eth0:10.0.0.128/25
inf     eth0:10.0.0.10-10.0.0.64
tst    eth0:10.0.0.1-10.0.0.9

my major question is..  I want to be able to set up a policy or a rule 
similar to:
ACCEPT    lan(+all child zones)    wan    tcp    port.

and I also want to know, what happens when a packet is allowed by one 
rule, but disallowed by another rule?  for example, if I add another 
Dynamic zone "Special users" (spu:lan), and add someone in the usr
zone
to the spu zone.  do they match the usr or the spu, or the lan zone 
policy and rule, if the rules are in conflict?
Example rule conflict:
SSH(REJECT)    lan    $FW
SSH(DROP)    usr    $FW
SSH(ACCEPT)    spu    $FW

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

On Sat, 2012-01-14 at 23:08 -0800, Christ Schlacta wrote:
> my major question is..  I want to be able to set up a policy or a rule 
> similar to:
> ACCEPT    lan(+all child zones)    wan    tcp    port.
> 
> and I also want to know, what happens when a packet is allowed by one 
> rule, but disallowed by another rule?  for example, if I add another 
> Dynamic zone "Special users" (spu:lan), and add someone in the
usr zone
> to the spu zone.  do they match the usr or the spu, or the lan zone 
> policy and rule, if the rules are in conflict?
> Example rule conflict:
> SSH(REJECT)    lan    $FW
> SSH(DROP)    usr    $FW
> SSH(ACCEPT)    spu    $FW
There are several considerations here:

     1. If you set IMPLICIT_CONTINUE=Yes in shorewall.conf, then any
        connection that doesn''t match any subzone rule is automatically
        passed on to the parent zone''s rules.
     2. Child zones will always be checked before the parent zone.
     3. If a host is in more than one child zone, then connections
        to/from that host will be passed to the child zones rules in the
        order in which the child zones appear in /etc/shorewall/zones.

Hope that helps,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

it does quite a bit.  it would help a little more if there were a 
clearer sample setup with explicit examples, but I think I know now that 
for the most part I''ll get the desired setup using 
IMPLICIT_CONTINUE=Yes, or policy CONTINUE.

On 1/15/2012 07:33, Tom Eastep wrote:
> On Sat, 2012-01-14 at 23:08 -0800, Christ Schlacta wrote:
>
>> my major question is..  I want to be able to set up a policy or a rule
>> similar to:
>> ACCEPT    lan(+all child zones)    wan    tcp    port.
>>
>> and I also want to know, what happens when a packet is allowed by one
>> rule, but disallowed by another rule?  for example, if I add another
>> Dynamic zone "Special users" (spu:lan), and add someone in
the usr zone
>> to the spu zone.  do they match the usr or the spu, or the lan zone
>> policy and rule, if the rules are in conflict?
>> Example rule conflict:
>> SSH(REJECT)    lan    $FW
>> SSH(DROP)    usr    $FW
>> SSH(ACCEPT)    spu    $FW
> There are several considerations here:
>
>       1. If you set IMPLICIT_CONTINUE=Yes in shorewall.conf, then any
>          connection that doesn''t match any subzone rule is
automatically
>          passed on to the parent zone''s rules.
>       2. Child zones will always be checked before the parent zone.
>       3. If a host is in more than one child zone, then connections
>          to/from that host will be passed to the child zones rules in the
>          order in which the child zones appear in /etc/shorewall/zones.
>
> Hope that helps,
> -Tom
>
>
>
------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Mar 27 - Feb 2
> Save $400 by Jan. 27
> Register now!
> http://p.sf.net/sfu/rsa-sfdev2dev2
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2