Provided by: shorewall-common_4.0.6-1_all bug

NAME

       Nesting - Shorewall Nested Zones

SYNOPSIS

       child-zone[: parent-zone[, parent-zone]...]

DESCRIPTION

       In  shorewall-zones  〈shorewall-zones.html〉 (5), a zone may be declared
       to be a sub-zone of one or more other zones using the above syntax.

       Where  zones  are  nested,  the  CONTINUE  policy  in  shorewall-policy
       〈shorewall-policy.html〉 (5) allows hosts that are within multiple zones
       to be managed under the rules of all of these zones.

EXAMPLE

       /etc/shorewall/zones:

               #ZONE    TYPE        OPTION
               fw       firewall
               net      ipv4
               sam:net  ipv4
               loc      ipv4

       /etc/shorewall/interfaces:

               #ZONE     INTERFACE     BROADCAST     OPTIONS
               -         eth0          detect        dhcp,norfc1918
               loc       eth1          detect

       /etc/shorewall/hosts:

               #ZONE     HOST(S)                     OPTIONS
               net       eth0:0.0.0.0/0
               sam       eth0:206.191.149.197

       /etc/shorewall/policy:

               #SOURCE      DEST        POLICY       LOG LEVEL
               loc          net         ACCEPT
               sam          all         CONTINUE
               net          all         DROP         info
               all          all         REJECT       info

       The second entry above says that when Sam  is  the  client,  connection
       requests should first be processed under rules where the source zone is
       sam and if there is no match then  the  connection  request  should  be
       treated  under rules where the source zone is net. It is important that
       this policy be listed BEFORE the next policy (net to all). You can have
       this   policy   generated   for   you   automatically   by   using  the
       IMPLICIT_CONTINUE option in shorewall.conf 〈shorewall.conf.html〉 (5).

       Partial /etc/shorewall/rules:

               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
               ...
               DNAT      sam       loc:192.168.1.3 tcp      ssh
               DNAT      net       loc:192.168.1.5 tcp      www
               ...

       Given these two rules, Sam  can  connect  to  the  firewall’s  internet
       interface  with  ssh  and  the  connection request will be forwarded to
       192.168.1.3. Like all hosts in the net zone, Sam  can  connect  to  the
       firewall’s internet interface on TCP port 80 and the connection request
       will be forwarded to  192.168.1.5.  The  order  of  the  rules  is  not
       significant.  Sometimes it is necessary to suppress port forwarding for
       a sub-zone. For example, suppose that all hosts can SSH to the firewall
       and  be  forwarded  to 192.168.1.5 EXCEPT Sam. When Sam connects to the
       firewall’s external IP, he should be connected to the firewall  itself.
       Because  of  the  way  that Netfilter is constructed, this requires two
       rules as follows:

               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
               ...
               ACCEPT+   sam       $FW             tcp      ssh
               DNAT      net       loc:192.168.1.3 tcp      ssh
               ...

       The first rule allows Sam SSH access to the firewall. The  second  rule
       says  that any clients from the net zone with the exception of those in
       the  “sam”  zone  should  have  their  connection  port  forwarded   to
       192.168.1.3.  If  you  need  to  exclude more than one zone, simply use
       multiple ACCEPT+ rules. This technique also may be used when the ACTION
       is REDIRECT.

FILES

       /etc/shorewall/zones

       /etc/shorewall/interfaces

       /etc/shorewall/hosts

       /etc/shorewall/policy

       /etc/shorewall/rules

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-hosts(5),  shorewall-interfaces(5),  shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),     shorewall-params(5),      shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_rules(5),     shorewall-routestopped(5),      shorewall-rules(5),
       shorewall.conf(5),    shorewall-tcclasses(5),   shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),
       shorewall-zones(5)

                               23 November 2007           shorewall-nesting(5)