I've got my network logically divided by the last octet of the IP address.
1-9 = reserved for temporary testing systems ONLY
10-63 = reserved for infrastructure devices ("routers", switches, APs, etc.)
64-127 = reserved for dedicated servers (everything is going virtual.
one vmachine per service!)
128-250 = reserved for user devices. Phones, game consoles, laptops and
desktops. The wifi is secured using wpa2-eap-tls and the switch is
secured using radius-eap-tls.
251-254 are reserved for routers. (254 is the currently provided router
IP address from DHCP, 253 was used for testing prior to implementation,
and 251 and 252 are virtual load balancing routers)
so I have some zones. lan, for all of my /24, and some sub zones.
here's my zones file and my hosts file (vpn isn't implemented right now,
I'm mid-upgrades):
fw firewall
wan ipv4
lan ipv4
vpn ipsec
rts:lan ipv4
srv:lan ipv4
usr:lan ipv4
inf:lan ipv4
tst:lan ipv4
vpn eth0:10.0.129.0/24 ipsec,broadcast,routeback
vpn eth1:10.0.128.0/24 ipsec,broadcast,routeback
rts eth0:10.0.0.254,10.0.0.251,10.0.0.252,10.0.0.253
srv eth0:10.0.0.65/26
usr eth0:10.0.0.128/25
inf eth0:10.0.0.10-10.0.0.64
tst eth0:10.0.0.1-10.0.0.9
my major question is.. I want to be able to set up a policy or a rule
similar to:
ACCEPT lan(+all child zones) wan tcp port.
and I also want to know, what happens when a packet is allowed by one
rule, but disallowed by another rule? for example, if I add another
Dynamic zone "Special users" (spu:lan), and add someone in the usr zone
to the spu zone. do they match the usr or the spu, or the lan zone
policy and rule, if the rules are in conflict?
Example rule conflict:
SSH(REJECT) lan $FW
SSH(DROP) usr $FW
SSH(ACCEPT) spu $FW
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
