Bas van Schaik
2014-Sep-30 16:06 UTC
Dynamically connecting interfaces to zones (goal: different policies/rules depending on whether I'm home, in the office, travelling...)
Hi, This question might have been answered already, but after an afternoon of Googling I haven't quite found the right search keywords yet. What I'm trying to do: depending on where my laptop (with Shorewall and OpenVPN) is connected, I'd like to apply different policies in Shorewall. Whenever I'm travelling: 1) route all traffic over VPN (that's easy enough - not a Shorewall challenge) 2) enforce (1) using Shorewall by rejecting all traffic from $FW to my 'net' zone (except to VPN server), to avoid leaking of information when the VPN client is down. Traffic to the 'vpn' zone should be allowed. Whenever I'm at home (to my trusted SSID, or using my trusted router), I'd like to: 1) only route VPN-specific traffic through VPN (again: easy enough) 2) allow all traffic from $FW to anywhere So far, I've been trying to set this up using dynamic zones: - zone 'untrustednet' that only allows traffic to my VPN server and is the default zone for eth0 and wlan0 (I'm using both wifi and ethernet) - zone 'trustednet' that is freely accessible from $FW, and by default not served by any interfaces. Then, whenever my laptop connects to my trusted home network, I'd like to connect interfaces eth0 and/or wlan0 to the 'trustednet' zone, and disconnect them from the 'untrustednet' zone. Automatically, all policy that applies to either nets is enabled/disabled. This is very similar to the approach described here: http://forums.gentoo.org/viewtopic-p-4970216.html?sid=81e95f6a684dfe2669398947c1421659, but that no longer seems to work. I tried various setups using the documentation at http://shorewall.net/Dynamic.html, but I can't get any of them to work either. I'm using Shorewall 4.6.2, and both the new and old methods described in the documentation do not seem to support the following command: 'shorewall add wlan0 trustednet'. It seems that dynamic zones can only be used to add and remove hosts to, but not to dynamically connect/disconnect interfaces to? I feel like I'm barking up the wrong tree, can someone shed some light on this? Completely different approaches (not using dynamic zones) to achieve the goals described above are welcome too. Thanks, Bas ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk