[Shorewall-users] Hosts

Jim Hubbard jimh@dyersinc.com
Wed, 10 Apr 2002 12:44:55 -0400


> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Tom Eastep
> Sent: Wednesday, April 10, 2002 12:15 PM
> To: Jim Hubbard
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Hosts
>
>
> On Wed, 10 Apr 2002, Jim Hubbard wrote:
>
> > I have a server behind a seperate hardware firewall.  The server handles
> > some requests from the local network (smb, web, and mail) and from the
> > internet (web & mail).  I have three zones defined for the
> server's single
> > interface; adm, loc, and net.  In the hosts file, I defined the
> first 2 like
> > this:
> >
> > adm		eth0:192.168.0.10		routestopped
> > loc		eth0:192.168.0.0/24	routestopped
> >
> > The adm zone is also filtered by mac in the rules since it gets
> access to
> > management tools (swat & webmin).  But incoming requests from
> my net zone,
> > which since undefined should default to (0.0.0.0/0) got dropped by my
> > all2all policy until I specified it in the hosts file like this:
> >
> > net		eth0:0.0.0.0/0
> >
> > Yes, I know my config is somewhat less than ideal, but I've got
> to make do
> > with the hardware I have for now.  My point is that the zone defaults
> > mentioned in the docs DO need to be specified in the hosts file
> (at least in
> > this case).
> >
> > From the docs:
> > "If you don't define any hosts for a zone, the hosts in the
> zone default to
> > i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the
> interfaces to the
> > zone.
> >
> > Note 1: You probably DON'T want to specify any hosts for your
> internet zone
> > since the hosts that you specify will be the only ones that you
> will be able
> > to access without adding additional rules."
> >
> > Or have I overlooked something?
> >
>
> What do your 'zones' and 'interfaces' files look like?
>

Actually, instead of the ip's listed above I've defined them as parameters
like this in "params"
ADM_IPS=192.168.0.10
LOC_IPS=192.168.0.0/24
NET_IPS=0.0.0.0/0

So my hosts file is actually:
#ZONE		HOST(S)		OPTIONS
adm		eth0:$ADM_IPS	routestopped
loc		eth0:$LOC_IPS	routestopped
net		eth0:$NET_IPS

I don't know why I prefer it this way, it's just less clutter I guess.
Anyway here are zones & interfaces:

"zones"
#ZONE	DISPLAY		COMMENTS
adm	Admin		Local Administrator
loc	Local		Local Network
net	Net		Internet

"interfaces"
#ZONE	 INTERFACE	BROADCAST	OPTIONS
-	eth0		192.168.0.255	routestopped,multi,blacklist


> > While I'm at it, how can I deny rfc1918 ip's in my net zone and
> still accept
> > them in the others?  The only thing I've come up with is to filter
> > everything in loc by mac address too.
> >
> >
>
> Why do you need to? Doesn't your outer firewall already filter these?

My outer hardware firewall (Netgear RO318) cannot block certain addresses on
the outside from getting in.  A port is either open to everyone (and
forwarded to the server) or it's closed.  Curiously, I can restrict ip's on
the inside from accessing outside services.  Go figure.  Filtering loc by
mac wouldn't be a big deal for me since we only have about 8 local users.  I
was just wondering if there was a better way.


Sincerely,
Jim Hubbard