> ________________________________
> From: Tom Eastep <[email protected]> > To: [email protected] > Sent: Tuesday, August 25, 2015 6:51 PM > Subject: Re: [Shorewall-users] nested zones >> On 8/25/2015 12:39 AM, Vieri Di Paola wrote: >> Hi, >> I'm not sure I correclty understand how nested zones work in Shorewall. >> My zones file includes these 2 zones: >> caib ipv4ibs:caib ipv4 >> My policy file is as shown below regarding the ibs child zone alone >>("caib ibs CONTINUE" doesn't make much sense, does it?): >> # grep ibs policy >> lan ibs CONTINUE info >> wan ibs CONTINUE info >> dmz ibs CONTINUE info >> ibs all CONTINUE info >> caib ibs CONTINUE info >> road ibs CONTINUE info >> vpn1 ibs CONTINUE info >> vpn2 ibs CONTINUE info >> ovpn ibs CONTINUE info >> $FW ibs CONTINUE info >> >> As I understand it, client connection requests between eg. the "lan" zone and the "ibs" zone should first be processed under the "lan/caib" rules and if there is no match then the connection request should be treated under "lan/ibs" rules. > Other way around -- ibs is a sub-zone of caib so the traffic is first > processed under the lan->ibs rules and if there is no match, it is then > processed under the lan->caib rules. Note that ibs must actually be a > sub-zone so that traffic to ibs will also be processed as traffic to caib. "ibs is a sub-zone of caib so the traffic is first processed under the lan->ibs rules and if there is no match, it is then processed under the lan->caib rules.": got it. In fact I purposely didn't define any specific "ibs" rules and was expecting "caib" rules to be applied to lan->ibs traffic. "Note that ibs must actually be a sub-zone so that traffic to ibs will also be processed as traffic to caib.": maybe this is the part I don't fully understand. I guess it implies that all parent/child zones must be behind the same network interface? I cannot have a child zone via ethernet interface A and a parent zone via ethernet interface B, right? Maybe I should have explained my goal right from the start instead of assuming that nested zones were the solution to my issue. Basically I have a great deal of rules already written for zone "caib" which is behind, let's say, eth0. I recently set up another network interface (say, eth1) and defined the "ibs" zone there, with a link to a remote network that *may* be used as a backup in case the "caib" network link fails. However, when both links are up (not failing) there will be traffic in both zones. The type of traffic will be decided via routing through one interface or the other. So in short, instead of duplicating all "caib" rules to "ibs" rules by hand (bloated shorewall rules file), is there a way to apply the same "nested zones" principle to zones behind different interfaces in the sense that "traffic to/from ibs zone should be processed under specific ibs rules and if there is no match, it should then be processed under caib rules". Just to make things clearer, here's a trimmed-down simple example of what I'd like to achieve. 1) In case both links work: routes for interface to "caib" zone: 10.215.0.0/17 gw 172.20.11.49 10.215.128.0/20 gw 172.20.11.49 10.215.148.0/22 gw 172.20.11.49 10.215.152.0/21 gw 172.20.11.49 10.215.160.0/19 gw 172.20.11.49 10.215.192.0/19 gw 172.20.11.49 10.215.224.0/20 gw 172.20.11.49 10.215.240.0/22 gw 172.20.11.49 10.215.244.0/23 gw 172.20.11.49 10.215.249.0/24 gw 172.20.11.49 10.215.250.0/23 gw 172.20.11.49 10.215.252.0/22 gw 172.20.11.49 routes for interface to "ibs" zone:10.215.137.241/32 gw 172.28.17.110 10.215.134.1/32 gw 172.28.17.110 10.215.134.254/32 gw 172.28.17.110 specific "ibs" rules: ACCEPT lan:10.215.144.48 ibs:10.215.134.254 tcp 22 other "caib" rules applied only if no match for "ibs". Note that an example "caib" rule could be one that uses an IP addr. of a host that is "usually" found in the "ibs" zone: ACCEPT lan caib:10.215.137.241 all 2) In case only the link to "caib" zone interface fails we route all traffic to the interface on the "ibs" zone (the remote end also does its part): routes for interface to "ibs" zone: 10.215.137.241/32 gw 172.28.17.110 10.215.134.1/32 gw 172.28.17.110 10.215.134.254/32 gw 172.28.17.110 10.215.0.0/17 gw 172.28.17.110 10.215.128.0/20 gw 172.28.17.110 10.215.152.0/21 gw 172.28.17.110 10.215.160.0/19 gw 172.28.17.110 10.215.192.0/19 gw 172.28.17.110 10.215.224.0/20 gw 172.28.17.110 10.215.240.0/22 gw 172.28.17.110 10.215.244.0/23 gw 172.28.17.110 10.215.249.0/24 gw 172.28.17.110 10.215.250.0/23 gw 172.28.17.110 10.215.252.0/22 gw 172.28.17.110 Since "caib" rules are applied only if there is no match under "ibs" rules then I don't need to worry about access control, just routing. So I won't need to maintain two sets of rules which will be mostly identical ("ibs" and "caib" rules) except for a few specific "ibs" rules. 3) In case only the link to "ibs" zone interface fails we route all traffic to the interface on the "caib" zone: routes for interface to "caib" zone: 10.215.0.0/17 gw 172.20.11.49 10.215.128.0/20 gw 172.20.11.49 10.215.148.0/22 gw 172.20.11.49 10.215.152.0/21 gw 172.20.11.49 10.215.160.0/19 gw 172.20.11.49 10.215.192.0/19 gw 172.20.11.49 10.215.224.0/20 gw 172.20.11.49 10.215.240.0/22 gw 172.20.11.49 10.215.244.0/23 gw 172.20.11.49 10.215.249.0/24 gw 172.20.11.49 10.215.250.0/23 gw 172.20.11.49 10.215.252.0/22 gw 172.20.11.49 10.215.137.241/32 gw 172.20.11.49 10.215.134.1/32 gw 172.20.11.49 10.215.134.254/32 gw 172.20.11.49 Since "ibs"-specific rules are expendable in my organization's case, access control for important traffic is guaranteed under "caib" rules. As a final note, I guess I could change my shorewall server's NIC connections and follow this guide: http://shorewall.net/Multiple_Zones.html#Nested but I understand I would need to use just one NIC for both zones and I would have 2 routers (172.28.17.110 for "ibs" zone and 172.20.11.49 for "caib" zone) instead of 1 as per the example guide. However, both "caib" and "ibs" links are 100Mbps each and my "internal" NICs are 100Mbps at the moment. If I use just 1 interface then I won't be able to take full advantage of the bandwidth as if I used 2 100Mbps interfaces. Of course I could use a 1Gbps NIC but I don't have that option yet. However, even if I were to set up a 1Gbps NIC I'd still like to understand the correct use of the CONTINUE keyword. My config would look like this: /etc/shorewall/zones lan ipv4 caib ipv4 ibs:caib ipv4 /etc/shorewall/interfaces caib eth0 - /etc/shorewall/hosts ibs eth0:10.215.137.241/32,10.215.134.1/32,10.215.134.254/32 - /etc/shorewall/policy all ibs CONTINUE info ibs all CONTINUE info Does the above policy mean that specific lan2ibs rules will be applied to traffic from lan to ibs and if there's no match then lan2caib rules will be applied? Does it also mean thatibs2lan rules will be applied first and if no match then caib2lan rules will be applied? Thanks, Vieri ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
