[Shorewall-users] Multiple zones on a bridge port

Radoslaw Kamil Ejsmont Thu, 20 Dec 2012 03:36:59 -0800

Dear all,

I am running a quite non-standard set-up, where I need to have multiple zones 
on one of the bridge ports.
Simplified view of my network is:


NAS/shorewall
lan(bridge) --  eth0 --> lan/router (192.168.0.1) --> internet (DSL)
192.168.0.5   \ tap0 --> vpn                  


I currently have the following config files:

### interfaces ###

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     lan             detect          bridge,dhcp,nosmurfs,tcpflags
vpn     lan:tap0        detect  

### hosts ###

#ZONE   HOST(S)                                 OPTIONS
lan     lan:192.168.0.0/24

### zones ###

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
lan:net ipv4
vpn:net bport

### policy ###

#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
$FW     all     ACCEPT
lan     $FW     ACCEPT
lan     vpn     ACCEPT
lan     net     ACCEPT
vpn     $FW     ACCEPT
vpn     lan     ACCEPT
vpn     net     ACCEPT
all     all     REJECT          info

### tunnels ###

#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver           net     0.0.0.0/0


While this setup works (kind of), I am unable to filter traffic between lan and 
vpn/net zones separately (extract from rules created by shorewall below):

-A INPUT -i lan -j lan_in
-A FORWARD -i lan -j lan_fwd
-A OUTPUT -o lan -j lan_out

-A lan_frwd -o lan -j lan2net
-A lan_fwd -m conntrack --ctstate NEW,INVALID -j dynamic
-A lan_fwd -m conntrack --ctstate NEW,INVALID -j smurfs
-A lan_fwd -p udp --dport 67:68 -o lan -j ACCEPT
-A lan_fwd -p tcp -j tcpflags
-A lan_fwd -s 192.168.0.0/24 -j lan_frwd
-A lan_fwd -m physdev --physdev-in tap0 -j vpn_frwd
-A lan_fwd -j net_frwd
-A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic
-A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs
-A lan_in -p udp --dport 67:68 -j ACCEPT
-A lan_in -p tcp -j tcpflags
-A lan_in -s 192.168.0.0/24 -j lan2fw
-A lan_in -m physdev --physdev-in tap0 -j vpn2fw
-A lan_in -j net2fw
-A lan_out -p udp --dport 67:68 -j ACCEPT
-A lan_out -d 192.168.0.0/24 -j fw2lan
-A lan_out -j fw2net

In the lan_frwd chain there are no --physdev-out nor -d entries to divide 
forwarded traffic between to lan2vpn or lan2net. Similarly lan_out just 
specifies fw2net, without taking into account fw2lan or fw2vpn.

Anything I am doing wrong ? (and yes, I know it's generally a bad idea to have 
lan and net on the same iface, but in my network setup - I have no choice - and 
my tiny server has only one eth port)

Best regards,

Radek

-- 
Radoslaw Kamil Ejsmont, Ph.D.
http://radoslaw.ejsmont.net

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Multiple zones on a bridge port

Reply via email to