1SHOREWALL6-NESTING(5)           [FIXME: manual]          SHOREWALL6-NESTING(5)
2
3
4

NAME

6       nesting - shorewall6 Nested Zones
7

SYNOPSIS

9       child-zone[:parent-zone[,parent-zone]...]
10

DESCRIPTION

12       In shorewall6-zones[1](5), a zone may be declared to be a sub-zone of
13       one or more other zones using the above syntax. The child-zone may be
14       neither the firewall zone nor a vserver zone. The firewall zone may not
15       appear as a parent zone, although all vserver zones are handled as
16       sub-zones of the firewall zone.
17
18       Where zones are nested, the CONTINUE policy in shorewall6-policy[2](5)
19       allows hosts that are within multiple zones to be managed under the
20       rules of all of these zones.
21

EXAMPLE

23       /etc/shorewall6/zones:
24
25                   #ZONE    TYPE        OPTION
26                   fw       firewall
27                   net      ipv6
28                   sam:net  ipv6
29                   loc      ipv6
30
31       /etc/shorewall6/interfaces:
32
33                   #ZONE     INTERFACE     BROADCAST     OPTIONS
34                   -         eth0          detect        blacklist
35                   loc       eth1          detect
36
37       /etc/shorewall6/hosts:
38
39                   #ZONE     HOST(S)                     OPTIONS
40                   net       eth0:[::\]
41                   sam       eth0:[2001:19f0:feee::dead:beef:cafe]
42
43       /etc/shorewall6/policy:
44
45                   #SOURCE      DEST        POLICY       LOG LEVEL
46                   loc          net         ACCEPT
47                   sam          all         CONTINUE
48                   net          all         DROP         info
49                   all          all         REJECT       info
50
51       The second entry above says that when Sam is the client, connection
52       requests should first be processed under rules where the source zone is
53       sam and if there is no match then the connection request should be
54       treated under rules where the source zone is net. It is important that
55       this policy be listed BEFORE the next policy (net to all). You can have
56       this policy generated for you automatically by using the
57       IMPLICIT_CONTINUE option in shorewall6.conf[3](5).
58
59       Partial /etc/shorewall6/rules:
60
61                   #ACTION   SOURCE    DEST                  PROTO    DEST PORT(S)
62                   ...
63                   ACCEPT    sam       loc:2001:19f0:feee::3 tcp      ssh
64                   ACCEPT    net       loc:2001:19f0:feee::5 tcp      www
65                   ...
66
67       Given these two rules, Sam can connect with ssh to 2001:19f0:feee::3.
68       Like all hosts in the net zone, Sam can connect to TCP port 80 on
69       2001:19f0:feee::5. The order of the rules is not significant.
70

FILES

72       /etc/shorewall6/zones
73
74       /etc/shorewall6/interfaces
75
76       /etc/shorewall6/hosts
77
78       /etc/shorewall6/policy
79
80       /etc/shorewall6/rules
81

SEE ALSO

83       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
84       shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
85       shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
86       shorewall6-providers(5), shorewall6-route_rules(5),
87       shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
88       shorewall6-secmarks(5), shorewall6-tcclasses(5),
89       shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
90       shorewall6-tunnels(5), shorewall6-zones(5)
91

NOTES

93        1. shorewall6-zones
94           http://www.shorewall.net/manpages6/shorewall-zones.html
95
96        2. shorewall6-policy
97           http://www.shorewall.net/manpages6/shorewall6-policy.html
98
99        3. shorewall6.conf
100           http://www.shorewall.net/manpages6/shorewall6.conf.html
101
102
103
104[FIXME: source]                   09/16/2011             SHOREWALL6-NESTING(5)
Impressum