Re: [Shorewall-devel] Shorewall 4.5.17 RC 1

Tom Eastep Sun, 26 May 2013 10:05:14 -0700

On 05/26/2013 08:25 AM, Tom Eastep wrote:
> On 05/26/2013 08:22 AM, Dash Four wrote:
>>
>>
>> Tom Eastep wrote:
>>> On 5/25/13 6:35 PM, "Dash Four" <[email protected]> wrote:
>>>   
>>>> Tom Eastep wrote:
>>>>     
>>>>> 4.5.17 RC 1 is now available for testing.
>>>>>
>>>>> Changes since Beta 3:
>>>>>
>>>>> 1)  A 'local' zone now works correctly with 'destonly' specified on the
>>>>>     loopback device.
>>>>>   
>>>>>       
>>>> ERROR: The local zone may only me assigned to 'lo'
>>>> /etc/shorewall/interfaces
>>>>
>>>> Says who, exactly? I should be able to assign the local zone to
>>>> whichever network adapter I damn well please!
>>>>     
>>>
>>> As the Rolling Stones say, you can't always get what you want. Especially
>>> when you ask like that.
>>>   
>> Well, in this case, I will have to use start/started to manually delete 
>> all the <all>2local and local2<all> crap shorewall placed in my own 
>> firewall and be done with it and not bother with this next-to-useless 
>> "local" zone option at all.
>>
>> If it was just the loopback interface your recent changes have targeted, 
>> then, maybe, just maybe, you should have called this option "loopback" 
>> instead to make it clearer.
>>
>> Personally, I won't be using this, as your "local" solution is neither 
>> here nor there - my intention was, and always has been, to isolate the 
>> local zone from all other zones I have defined (be it based on the 
>> loopback interface or lo:X interfaces, or some other interfaces bound to 
>> the 127.x.x.x address I have defined in advance) and exercise a degree 
>> of control over its traffic. Currently, your "local" solution falls well 
>> short of that.
> 
> The lo:X thingies are not interfaces; they are simply labeled addresses
> on interface 'lo'.
>


My point is that the iptables match '-i dev:1' never matches, when
'dev:1' is a 'virtual' interface on interface 'dev'.

What I can do is allow multiple local zones where nesting is allowed
between local zones. That allows rather fine-grained control over
$FW->$FW traffic based on zones.

Example: The public IP addresses on my gateway are in 70.90.191.120/29.
All policies involving fw and the local zones are ACCEPT and FASTACCEPT=Yes.

/etc/shorewall/zones:

local           local
local1:local    local #local1 is nested in local

/etc/shorewall/interfaces:

local   lo

/etc/shorewall/hosts:

local1  lo:70.90.191.120/29

This generates the following:
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
...
:fw-local1 - [0:0]
...
:lo_in - [0:0]
:lo_out - [0:0]
...
:local1-fw - [0:0]
...
-A INPUT -i lo -j lo_in
...
-A OUTPUT -o lo -j lo_out
...
-A fw-local1 -m conntrack --ctstate RELATED -j +fw-local1
-A fw-local1 -j ACCEPT
...
-A lo_in -s 70.90.191.120/29 -j local1-fw
-A lo_in -m conntrack --ctstate RELATED -j +local-fw
-A lo_in -m conntrack --ctstate UNTRACKED -j ~comb0
-A lo_in -j ACCEPT
-A lo_out -d 70.90.191.120/29 -j fw-local1
-A lo_out -m conntrack --ctstate RELATED -j +fw-local
-A lo_out -j ACCEPT
...
-A local1-fw -m conntrack --ctstate RELATED -j +local1-fw
-A local1-fw -m conntrack --ctstate UNTRACKED -j ~comb0
-A local1-fw -j ACCEPT

So when I 'ping 70.90.191.121' from the firewall itself, I see:

Chain fw-local1 (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 +fw-local1  all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED
    1    84 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain local1-fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 +local1-fw  all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED
    0     0 ~comb0     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate UNTRACKED
   10   840 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] Shorewall 4.5.17 RC 1

Reply via email to