Diego Rivera wrote: > > > My grief comes from the sub-zone definition. I'll paint the picture > from firewall A's perspective, for simplicity, and use an abbreviated > config syntax so as to not bore you with the details: > > zones: > # begin > fw ipv4 > BIG ipv4 > lan:BIG ipv4 > site_a:BIG ipsec > site_b:BIG ipsec > net ipv4 > # end
Diego, The root of your problem comes in the zone definitions. The definitions of the site_a and site_b zones is invalid, although the compiler isn't flagging them as such. Because site_a and site_b are ipsec zones and BIG is an ipv4 zone, site_a and site_b are NOT sub-zones of BIG. Traffic to/from site_a and site_b must always be encrypted; traffic to/from BIG is only encrypted if the hosts file is used to explicitly define encrypted members. > > The intent is to group *ALL* internal networks into the "BIG" zone so I > can treat them all as a single unit when writing rules (and going more > granular as required). My problem is that for the above to work, I had > to explicitly declare *ALL* the hosts from lan, site_a and site_b in the > hosts file as belonging to BIG *in addition to* the declaration for the > zones themselves (except lan - that one's based on interfaces so it > wasn't declared in hosts): > > interfaces: > # begin > lan $LAN detect <flags> > net $NET detect <flags> > # end > > hosts: > # begin > BIG $LAN:$LAN_IP <flags> > BIG $NET:$B_IP <flags>,ipsec > BIG $NET:$C_IP <flags>,ipsec > site_b $NET:$B_IP <flags> > site_c $NET:$C_IP <flags> > # end > > What I want to do is be able to have rules such as the following: > > # begin rule-example > SomeMacro/ACCEPT BIG net:1.2.3.4 > OtherMacro/REJECT net:5.6.7.8 BIG > # end rule-example > > However, I'd like to be able to do that with my hosts file looking like so: > > # begin > site_b $NET:$B_IP <flags> > site_c $NET:$C_IP <flags> > # end > > I.e.: not having to *explicitly* add the host declarations to the actual > "BIG" zone and have that zone include all subzones. That is not currently possible. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
