|
Hello, everyone. First, the vitals: Shorewall version 4.0.9, iptables 1.4.0 on kernel 2.6.24.7 (from mandriva 2008.1). My firewall configuration is running properly. The only nuisance is in something I had to do while configuring sub-zones that I feel I shouldn't have had to do. Clearly this is me being dumber than usual, but I'd like some input on the matter. We have 3 sites - call them A, B and C. They all form a triangle using Racoon IPSec (i.e. A<->B, B<->C, C<->A). There's NO weird routing through sites for redundancy - if you don't have direct access, you're SOL basically. Each site runs a linux firewall (yipee!!), with shorewall on it. Each site is configured pretty much the same. My grief comes from the sub-zone definition. I'll paint the picture from firewall A's perspective, for simplicity, and use an abbreviated config syntax so as to not bore you with the details: zones: # begin fw ipv4 BIG ipv4 lan:BIG ipv4 site_a:BIG ipsec site_b:BIG ipsec net ipv4 # end The intent is to group *ALL* internal networks into the "BIG" zone so I can treat them all as a single unit when writing rules (and going more granular as required). My problem is that for the above to work, I had to explicitly declare *ALL* the hosts from lan, site_a and site_b in the hosts file as belonging to BIG *in addition to* the declaration for the zones themselves (except lan - that one's based on interfaces so it wasn't declared in hosts): interfaces: # begin lan $LAN detect <flags> net $NET detect <flags> # end hosts: # begin BIG $LAN:$LAN_IP <flags> BIG $NET:$B_IP <flags>,ipsec BIG $NET:$C_IP <flags>,ipsec site_b $NET:$B_IP <flags> site_c $NET:$C_IP <flags> # end What I want to do is be able to have rules such as the following: # begin rule-example SomeMacro/ACCEPT BIG net:1.2.3.4 OtherMacro/REJECT net:5.6.7.8 BIG # end rule-example However, I'd like to be able to do that with my hosts file looking like so: # begin site_b $NET:$B_IP <flags> site_c $NET:$C_IP <flags> # end I.e.: not having to *explicitly* add the host declarations to the actual "BIG" zone and have that zone include all subzones. IMPLICIT_CONTINUE is set to "Yes" in the shorewall.conf file. I did have to add policies to permit traffic between the sub-zones explicitly (i.e. lan<->c, lan<->b), but that much I did expect and I feel it's correct to have had to do that. I probably have the nesting stuff bass-ackwards (wouldn't be the first time!), but I'd like some input here on whether I'm off base, or what I missed. I did read the docs and didn't find my exact answer on them... Thanks for any help! --
Diego Rivera
Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: [email protected] | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ |
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
