[Shorewall-users] (no subject)

Tom Eastep teastep@shorewall.net
Thu, 25 Apr 2002 11:54:09 -0700 (Pacific Daylight Time)


On Wed, 24 Apr 2002, Tom Eastep wrote:

> >
> > The whitelist feature is just a way of condescending to people who
> > can't figure out their Shorewall hosts file.  Tom is a crowd-pleaser.
> > ;-)
> >
>
> There is actually a key difference between the use of zones and the
> xxxlist implementations. The lists can be updated using just the refresh
> command whereas changes to zones don't occur until the firewall is totally
> restarted.
>

Using a zone to implement a whitelist of internet sites can also be tricky
in the presence of port forwarding rules. You either have to replicate the
rules for both the 'net' and 'whl' (whitelist) zones or you need to create
an alias zone for 'net' (an 'alias' being a zone with exactly the same
definition):

zones:

net	Internet	The Internet
whl	Whitelist	Trusted Hosts
netp	Internet	The Internet (Policy Zone)

Policies:

net	all		CONTINUE
whl	all		ACCEPT
netp	all		DROP		info

Your port forwarding rules have source zone = 'net'. If a connection
request doesn't match any of those, and the source host is in 'whl' then
the connection request is accepted. Otherwise it is dropped.

Note that and net->x REJECT or DROP rules are going to apply to hosts in
the 'whl' zone which isn't necessarily what is desired.

The problem here is that when I designed the original model, I (wrongly)
assumed that zones were always going to be disjoint. I considered an
approach that allowed specification of a zone hierarchy but settled on the
'hosts' file and CONTINUE policy because they seemed easier to
implement.

If I decide to do Shorewall II at some point, I'll try to get this aspect
right.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net