Fair enough - I can live with this answer. Thanks, Tom!
Tom Eastep wrote:
Diego Rivera wrote:
My grief comes from the sub-zone definition. I'll paint the picture
from firewall A's perspective, for simplicity, and use an abbreviated
config syntax so as to not bore you with the details:
zones:
# begin
fw ipv4
BIG ipv4
lan:BIG ipv4
site_a:BIG ipsec
site_b:BIG ipsec
net ipv4
# end
Diego,
The root of your problem comes in the zone definitions. The definitions
of the site_a and site_b zones is invalid, although the compiler isn't
flagging them as such. Because site_a and site_b are ipsec zones and BIG
is an ipv4 zone, site_a and site_b are NOT sub-zones of BIG. Traffic
to/from site_a and site_b must always be encrypted; traffic to/from BIG
is only encrypted if the hosts file is used to explicitly define
encrypted members.
The intent is to group *ALL* internal networks into the "BIG" zone so I
can treat them all as a single unit when writing rules (and going more
granular as required). My problem is that for the above to work, I had
to explicitly declare *ALL* the hosts from lan, site_a and site_b in the
hosts file as belonging to BIG *in addition to* the declaration for the
zones themselves (except lan - that one's based on interfaces so it
wasn't declared in hosts):
interfaces:
# begin
lan $LAN detect <flags>
net $NET detect <flags>
# end
hosts:
# begin
BIG $LAN:$LAN_IP <flags>
BIG $NET:$B_IP <flags>,ipsec
BIG $NET:$C_IP <flags>,ipsec
site_b $NET:$B_IP <flags>
site_c $NET:$C_IP <flags>
# end
What I want to do is be able to have rules such as the following:
# begin rule-example
SomeMacro/ACCEPT BIG net:1.2.3.4
OtherMacro/REJECT net:5.6.7.8 BIG
# end rule-example
However, I'd like to be able to do that with my hosts file looking like so:
# begin
site_b $NET:$B_IP <flags>
site_c $NET:$C_IP <flags>
# end
I.e.: not having to *explicitly* add the host declarations to the actual
"BIG" zone and have that zone include all subzones.
That is not currently possible.
-Tom
--
Diego Rivera
Director / System Operations
Roundbox Global : enterprise :
technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695
email: [email protected]
| www.rbxglobal.com
------------------------------------------------------------------------------------------------------------------
|
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
