Shorewall users - Apr 2014 - Re: Shorewall-users Digest, Vol 95, Issue 13

Hello Tom.
>>
>> I would like to protect my laptop with Shorewall in the following
>> network environment :
>>  - user machine not acting as a router having 2 network interfaces :
>> eth0 and wan0
>>  - 2 zones : local (internal networks) and internet
>>  - allow some traffic from loc zone (ping, SSH) but however protects
>> incoming traffic from loc as it came from net (smurfs, tcpflags,
>> etc...)
>>
>>
>> I tried to setup parallel zones in order to fully separate networks.
>> However when looking at the rules generated by Shorewall, it excludes
>> all smurfs and tcpflags checks from loc zone :
>>
>> Chain eth0_in (1 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>    49  6016 dynamic    all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
>>   105  145K ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            ctstate RELATED,ESTABLISHED
>>    49  6016 ~excl0     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
>>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0            udp dpts:67:68
>>     0     0 ~excl1     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>    49  6016 ~excl4     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>>    49  6016 loc-fw     all  --  *      *       192.168.50.0/24
>> 0.0.0.0/0
>>     0     0 loc-fw     all  --  *      *       10.30.0.0/19
>> 0.0.0.0/0
>>     0     0 loc-fw     all  --  *      *       172.16.10.0/29
>> 0.0.0.0/0
>>
>> Chain ~excl0 (2 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>    49  6016 RETURN     all  --  *      *       192.168.50.0/24
>> 0.0.0.0/0
>>     0     0 RETURN     all  --  *      *       10.30.0.0/19
>> 0.0.0.0/0
>>     0     0 RETURN     all  --  *      *       172.16.10.0/29
>> 0.0.0.0/0
>>     0     0 smurfs     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           [goto]
>>
>> Chain ~excl1 (2 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 RETURN     all  --  *      *       192.168.50.0/24
>> 0.0.0.0/0
>>     0     0 RETURN     all  --  *      *       10.30.0.0/19
>> 0.0.0.0/0
>>     0     0 RETURN     all  --  *      *       172.16.10.0/29
>> 0.0.0.0/0
>>     0     0 tcpflags   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           [goto]
>>
>> I'm not sure whether this behaviour is intended because I did not
tell
>> to not check loc zone.
>>
>> Also I could not tell Shorewall to consider either eth0 or wlan0 for
>> the loc & net zones. When adding wlan0 in the interfaces file :
>>
>> -       eth0
>>
optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_filter=1,arp_ignore=2
>> -       wan0
>>
optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_filter=1,arp_ignore=2
>>
>>
>> I'm getting this error :    ERROR: A provider interface must have
at
>> least one associated zone.
>>
>
> Corrected config files attached.
>
> -Tom
OK that addresses the case of multiple interfaces sharing multiple zones.

However I'm puzzled about the configuration with only one network
interface (first part of my email), I'm wondering why smurfs et
tcpflags checks are not applied to all zones. Did I misread the
iptable rules that have been generated ?

Hervé

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech