Tom Eastep wrote: > On Wed, 2007-11-21 at 15:42 -0800, Tom Eastep wrote: > >> I guess it makes sense in a way. You want a zone that is defined as "all >> external hosts that communicate through a particular firewall interface >> using a particular address on that interface". You are not the first to >> want to do something like that so it may be something to consider for >> Shorewall 4.2. >> >> It would require some sort of magic in the hosts file such as: >> >> net0 eth0:0.0.0.0/0 address=<local ip address>, ... >> >> I'll see what I can come up with. >> > > This idea quickly turns sticky. A zone as contemplated, seems of little > practical use except for fw <-> zone rules and policies. > > Suppose I have: > > /etc/shorewall/zones: > > fw firewall > net1 ipv4 > net2 ipv4 > loc ipv4 > > /etc/shorewall/interfaces: > > - eth0 ... > loc eth1 ... > > /etc/shorewall/hosts: > > net1 eth0:0.0.0.0/0 local=206.124.146.176,... > net2 eth0:0.0.0.0/0 local=206.124.146.177,... > > Consider this rule: > > DNAT net1 loc:192.168.1.4 tcp 80 > > That would appear to require that the ORIGINAL DEST column default to > 206.124.146.176 because that is the local address of net1. If fact, that > seems like the only possible legitimate value for ORIGINAL DEST as well. > > What does this rule mean? > > ACCEPT net1 loc all > > Or this one? > > ACCEPT loc net1 all > > How is the local address relevant in that rule? Does it mean that all > traffic from eth1 through eth0 should be SNATted with the local address > of net1? Should the local address simply be ignored? > > How about this entry in /etc/shorewall/masq? > > eth0 eth1 206.124.146.177 > > And how does it impact the previous rule. Does it mean that loc->net1 > connections are essentially impossible with those two entries? > > The way that I would deal with Eric's problem today would be as follows: > > /etc/shorewall/params: > > IP1=206.124.146.176 > IP2=206.124.146.177 > > FW1=fw:206.124.146.176 > FW2=fw:206.124.146.177 > > Then I can have rules: > > ACCEPT net $FW1 tcp 22 > ACCEPT net loc all > DNAT net loc:192.168.1.4 tcp 80 - $IP1 > > and in /etc/shorewall/masq: > > eth0 eth1 $IP2 > > And the meaning of each entry is clear and unambiguous. On the other > hand, it appears that defining clear and unambiguous semantic behavior > for the 'local' address in a host entry would be difficult. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > Tom & Roberto:
Thanks for the replies. I suppose my main justification for it was to treat each of the interfaces completely independently to allow for individual control to ports by IP, which I understand is a little odd and I'm not even sure it makes sense. After some more thought and reading both of your emails it seems for now my best bet is to follow what Tom wrote in the last email. I think that will work fine for what I am doing and will be the least confusing. For reference what I wound up with is.... zones: fw firewall net ipv4 interfaces: net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs params: IP0=<eth0 ip> IP1=<eth0:0 ip> IP2=<eth0:1 ip> IP3=<eth0:2 ip> FW0=fw:$IP0 FW1=fw:$IP1 FW2=fw:$IP2 FW3=fw:$IP3 hosts: EMPTY policy: $FW net ACCEPT net $FW DROP info net all DROP info all all REJECT info rules (examples of my test): Ping/ACCEPT net $FW0 Ping/REJECT net $FW SSH/ACCEPT net $FW ACCEPT $FW net icmp That setup correctly accepts pings on IP0, but rejects the rest. If I change the first two to Ping/REJECT net $FW0 Ping/ACCEPT net $FW It rejects on the IP0 and ACCEPTS on the rest. So I suppose that the simplest solution seems to be the best. Thanks all. -Eric ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
