1SHOREWALL-NESTING(5)          Configuration Files         SHOREWALL-NESTING(5)
2
3
4

NAME

6       nesting - Shorewall Nested Zones
7

SYNOPSIS

9       child-zone[:parent-zone[,parent-zone]...]
10

DESCRIPTION

12       In shorewall-zones[1](5), a zone may be declared to be a sub-zone of
13       one or more other zones using the above syntax. The child-zone may be
14       neither the firewall zone nor a vserver zone. The firewall zone may not
15       appear as a parent zone, although all vserver zones are handled as
16       sub-zones of the firewall zone.
17
18       Where zones are nested, the CONTINUE policy in shorewall-policy[2](5)
19       allows hosts that are within multiple zones to be managed under the
20       rules of all of these zones.
21

EXAMPLE

23       /etc/shorewall/zones:
24
25                   #ZONE    TYPE        OPTION
26                   fw       firewall
27                   net      ipv4
28                   sam:net  ipv4
29                   loc      ipv4
30
31       /etc/shorewall/interfaces:
32
33                   #ZONE     INTERFACE     BROADCAST     OPTIONS
34                   -         eth0          detect        dhcp,norfc1918
35                   loc       eth1          detect
36
37       /etc/shorewall/hosts:
38
39                   #ZONE     HOST(S)                     OPTIONS
40                   net       eth0:0.0.0.0/0
41                   sam       eth0:206.191.149.197
42
43       /etc/shorewall/policy:
44
45                   #SOURCE      DEST        POLICY       LOG LEVEL
46                   loc          net         ACCEPT
47                   sam          all         CONTINUE
48                   net          all         DROP         info
49                   all          all         REJECT       info
50
51       The second entry above says that when Sam is the client, connection
52       requests should first be processed under rules where the source zone is
53       sam and if there is no match then the connection request should be
54       treated under rules where the source zone is net. It is important that
55       this policy be listed BEFORE the next policy (net to all). You can have
56       this policy generated for you automatically by using the
57       IMPLICIT_CONTINUE option in shorewall.conf[3](5).
58
59       Partial /etc/shorewall/rules:
60
61                   #ACTION   SOURCE    DEST            PROTO    DPORT
62                   ...
63                   DNAT      sam       loc:192.168.1.3 tcp      ssh
64                   DNAT      net       loc:192.168.1.5 tcp      www
65                   ...
66
67       Given these two rules, Sam can connect to the firewall's internet
68       interface with ssh and the connection request will be forwarded to
69       192.168.1.3. Like all hosts in the net zone, Sam can connect to the
70       firewall's internet interface on TCP port 80 and the connection request
71       will be forwarded to 192.168.1.5. The order of the rules is not
72       significant. Sometimes it is necessary to suppress port forwarding for
73       a sub-zone. For example, suppose that all hosts can SSH to the firewall
74       and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
75       firewall's external IP, he should be connected to the firewall itself.
76       Because of the way that Netfilter is constructed, this requires two
77       rules as follows:
78
79                   #ACTION   SOURCE    DEST            PROTO    DPORT
80                   ...
81                   ACCEPT+   sam       $FW             tcp      ssh
82                   DNAT      net       loc:192.168.1.3 tcp      ssh
83                   ...
84
85       The first rule allows Sam SSH access to the firewall. The second rule
86       says that any clients from the net zone with the exception of those in
87       the “sam” zone should have their connection port forwarded to
88       192.168.1.3. If you need to exclude more than one zone, simply use
89       multiple ACCEPT+ rules. This technique also may be used when the ACTION
90       is REDIRECT.
91
92       Care must be taken when nesting occurs as a result of the use of
93       wildcard interfaces (interface names ends in '+').
94
95       Here's an example.  /etc/shorewall/zones:
96
97       /etc/shorewall/interfaces:
98
99                   #ZONE    INTERFACE      BROADCAST        OPTIONS
100                   net      ppp0
101                   loc      eth1
102                   loc      ppp+
103                   dmz      eth2
104
105       Because the net zone is declared before the loc zone, net is an
106       implicit sub-zone of loc and in the absence of a net->... CONTINUE
107       policy, traffic from the net zone will not be passed through loc->...
108       rules. But DNAT and REDIRECT rules are an exception!
109
110       ·   DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table
111           rule that rewrites the destination IP address and/or port number,
112           and a 'filter' table rule that ACCEPTs the rewritten connection.
113
114       ·   Policies only affect the 'filter' table.
115
116       As a consequence, the following rules will have unexpected behavior:
117
118                   #ACTION     SOURCE               DEST      PROTO        DPORT
119                   ACCEPT      net                  dmz       tcp          80
120                   REDIRECT    loc                  3128      tcp          80
121
122       The second rule is intended to redirect local web requests to a proxy
123       running on the firewall and listening on TCP port 3128. But the 'nat'
124       part of that rule will cause all connection requests for TCP port 80
125       arriving on interface ppp+ (including ppp0!) to have their destination
126       port rewritten to 3128. Hence, the web server running in the DMZ will
127       be inaccessible from the web.
128
129       The above problem can be corrected in several ways.
130
131       The preferred way is to use the ifname pppd option to change the 'net'
132       interface to something other than ppp0. That way, it won't match ppp+.
133
134       If you are running Shorewall version 4.1.4 or later, a second way is to
135       simply make the nested zones explicit:
136
137                   #ZONE    TYPE        OPTION
138                   fw       firewall
139                   loc      ipv4
140                   net:loc  ipv4
141                   dmz      ipv4
142
143       If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
144       shorewall.conf.
145
146       When using other Shorewall versions, another way is to rewrite the DNAT
147       rule (assume that the local zone is entirely within 192.168.2.0/23):
148
149                   #ACTION     SOURCE                 DEST      PROTO      DPORT
150                   ACCEPT      net                    dmz       tcp        80
151                   REDIRECT    loc:192.168.2.0/23     3128      tcp        80
152
153       Another way is to restrict the definition of the loc zone:
154
155       /etc/shorewall/interfaces:
156
157                   #ZONE    INTERFACE      BROADCAST        OPTIONS
158                   net      ppp0
159                   loc      eth1
160                   -        ppp+
161                   dmz      eth2
162
163       /etc/shorewall/hosts:
164
165                   #ZONE    HOST(S)             OPTIONS
166                   loc      ppp+:192.168.2.0/23
167

FILES

169       /etc/shorewall/zones
170
171       /etc/shorewall/interfaces
172
173       /etc/shorewall/hosts
174
175       /etc/shorewall/policy
176
177       /etc/shorewall/rules
178
179       /etc/shorewall6/zones
180
181       /etc/shorewall6/interfaces
182
183       /etc/shorewall6/hosts
184
185       /etc/shorewall6/policy
186
187       /etc/shorewall6/rules
188

SEE ALSO

190       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
191       shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
192       shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
193       shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
194       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
195       shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
196       shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
197       shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
198       shorewall-tunnels(5), shorewall-zones(5)
199

NOTES

201        1. shorewall-zones
202           https://shorewall.org/manpages/shorewall-zones.html
203
204        2. shorewall-policy
205           https://shorewall.org/manpages/shorewall-policy.html
206
207        3. shorewall.conf
208           https://shorewall.org/manpages/shorewall.conf.html
209
210
211
212Configuration Files               01/15/2020              SHOREWALL-NESTING(5)
Impressum