Hi, Say eth0 is connected to the Internet and eth1 is a trunk port connected to a managed switch. Everything on that switch can be regarded to be a member of the "loc" zone. The other hosts are a member of one VLAN. They have arbitrary IP addresses, outside of eth0''s subnet. So, for example we have: fw ifname their IP Intended use ------------------------------------- eth0 194.109.x.1 Internet uplink eth1.10 200.10.xx.5 HTTP server eth1.11 201.61.x.21 Email server eth1.12 80.214.xx.9 FTP server The IPs (intentionally bogus), together with proxyarp, makes the clients'' internet configuration easier because e.g. http could now just specify 200.10.xx.254 as its gateway and Shorewall would answer the arp request. Anyway. I would like to know whether the following configuration is valid: /etc/shorewall/shorewall.conf IMPLICIT_CONTINUE=Yes /etc/shorewall/zones: fw ipv4 inet ipv4 loc ipv4 http:loc ipv4 mail:loc ipv4 ftp:loc ipv4 /etc/shorewall/interfaces inet eth0 loc eth1 http eth1.10 mail eth1.11 ftp eth1.12 /etc/shorewall/policy fw all ACCEPT all all DROP:info /etc/shorewall/rules DROP inet all icmp 8 ACCEPT inet loc icmp ACCEPT inet http tcp 80,443 ACCEPT inet ftp tcp 20,21 and so on. If this is valid then as you can see it would allow me to have shared rules for the parent (loc) e.g. drop ICMP echo request from inet to loc, and specific rules for child zones. But I''m not sure if this is valid - eth1 is not the same as eth1.10, right? Or is there a better way to do the above? -- Thanks, Mark van Dijk. ,--------------------------------- -----------------------------'' Fri Aug 31 16:14 UTC 2012 Today is Pungenday, the 24th day of Bureaucracy in the YOLD 3178 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/31/2012 09:43 AM, Mark van Dijk wrote:> > If this is valid then as you can see it would allow me to have shared > rules for the parent (loc) e.g. drop ICMP echo request from inet to > loc, and specific rules for child zones. But I''m not sure if this is > valid - eth1 is not the same as eth1.10, right?Right -- it isn''t valid. Packets routed to/from eth1.10 are NOT routed to/from eth1. In this configuration, eth1 doesn''t have an IP address at all so Netfilter won''t match any packets against eth1.> Or is there a better way to do the above? >- define one zone Z that includes all three eth.nn, - specify REJECT for the Z->Z policy. - Use rules to specify which traffic is allowed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Right -- it isn''t valid. Packets routed to/from eth1.10 are NOT routed > to/from eth1. In this configuration, eth1 doesn''t have an IP address > at all so Netfilter won''t match any packets against eth1.Ok, makes sense.> - define one zone Z that includes all three eth.nn, > - specify REJECT for the Z->Z policy. > - Use rules to specify which traffic is allowed.So in effect, is this what you mean? -- /etc/shorewall/zones loc ipv4 http:loc ipv4 mail:loc ipv4 ftp:loc ipv4 /etc/shorewall/interfaces ... loc eth1.10 loc eth1.11 loc eth1.12 /etc/shorewall/hosts http eth1.10:0.0.0.0/0 mail eth1.11:0.0.0.0/0 ftp eth1.12:0.0.0.0/0 It seems that, in this scenario, the firewall would not care for the IPs behind a certain vlan which seems to be quite handy, for example if I add another HTTP server to vlan 10. Thank you, Mark ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/