Provided by: shorewall-common_4.0.12-1_all bug

NAME

       Nesting - Shorewall Nested Zones

SYNOPSIS

       child-zone[: parent-zone[, parent-zone]...]

DESCRIPTION

       In  shorewall-zones  〈shorewall-zones.html〉 (5), a zone may be declared
       to be a sub-zone of one or more other zones using the above syntax.

       Where  zones  are  nested,  the  CONTINUE  policy  in  shorewall-policy
       〈shorewall-policy.html〉 (5) allows hosts that are within multiple zones
       to be managed under the rules of all of these zones.

EXAMPLE

       /etc/shorewall/zones:

               #ZONE    TYPE        OPTION
               fw       firewall
               net      ipv4
               sam:net  ipv4
               loc      ipv4

       /etc/shorewall/interfaces:

               #ZONE     INTERFACE     BROADCAST     OPTIONS
               -         eth0          detect        dhcp,norfc1918
               loc       eth1          detect

       /etc/shorewall/hosts:

               #ZONE     HOST(S)                     OPTIONS
               net       eth0:0.0.0.0/0
               sam       eth0:206.191.149.197

       /etc/shorewall/policy:

               #SOURCE      DEST        POLICY       LOG LEVEL
               loc          net         ACCEPT
               sam          all         CONTINUE
               net          all         DROP         info
               all          all         REJECT       info

       The second entry above says that when Sam  is  the  client,  connection
       requests should first be processed under rules where the source zone is
       sam and if there is no match then  the  connection  request  should  be
       treated  under rules where the source zone is net. It is important that
       this policy be listed BEFORE the next policy (net to all). You can have
       this   policy   generated   for   you   automatically   by   using  the
       IMPLICIT_CONTINUE option in shorewall.conf 〈shorewall.conf.html〉 (5).

       Partial /etc/shorewall/rules:

               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
               ...
               DNAT      sam       loc:192.168.1.3 tcp      ssh
               DNAT      net       loc:192.168.1.5 tcp      www
               ...

       Given these two rules, Sam  can  connect  to  the  firewall’s  internet
       interface  with  ssh  and  the  connection request will be forwarded to
       192.168.1.3. Like all hosts in the net zone, Sam  can  connect  to  the
       firewall’s internet interface on TCP port 80 and the connection request
       will be forwarded to  192.168.1.5.  The  order  of  the  rules  is  not
       significant.  Sometimes it is necessary to suppress port forwarding for
       a sub-zone. For example, suppose that all hosts can SSH to the firewall
       and  be  forwarded  to 192.168.1.5 EXCEPT Sam. When Sam connects to the
       firewall’s external IP, he should be connected to the firewall  itself.
       Because  of  the  way  that Netfilter is constructed, this requires two
       rules as follows:

               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
               ...
               ACCEPT+   sam       $FW             tcp      ssh
               DNAT      net       loc:192.168.1.3 tcp      ssh
               ...

       The first rule allows Sam SSH access to the firewall. The  second  rule
       says  that any clients from the net zone with the exception of those in
       the  “sam”  zone  should  have  their  connection  port  forwarded   to
       192.168.1.3.  If  you  need  to  exclude more than one zone, simply use
       multiple ACCEPT+ rules. This technique also may be used when the ACTION
       is REDIRECT.

       Care  must  be  taken  when  nesting  occurs  as a result of the use of
       wildcard interfaces (interface names ends in ’+’).

       Here’s an example.  /etc/shorewall/zones:

               #ZONE    TYPE        OPTION
               fw       firewall
               net      ipv4
               loc      ipv4
               dmz      ipv4

       /etc/shorewall/interfaces:

               #ZONE    INTERFACE      BROADCAST        OPTIONS
               net      ppp0
               loc      eth1
               loc      ppp+
               dmz      eth2

       Because the net zone is  declared  before  the  loc  zone,  net  is  an
       implicit  sub-zone  of  loc  and  in the absence of a net->... CONTINUE
       policy, traffic from the net zone will not be passed  through  loc->...
       rules. But DNAT and REDIRECT rules are an exception!

       · DNAT  and  REDIRECT rules generate two Netfilter rules: a ’nat’ table
         rule that rewrites the destination IP address and/or port number, and
         a ’filter’ table rule that ACCEPTs the rewritten connection.

       · Policies only affect the ’filter’ table.

       As a consequence, the following rules will have unexpected behavior:

               #ACTION     SOURCE               DEST      PROTO        DEST
               #                                                       PORT(S)
               ACCEPT      net                  dmz       tcp          80
               REDIRECT    loc                  3128      tcp          80

       The  second  rule is intended to redirect local web requests to a proxy
       running on the firewall and listening on TCP port 3128. But  the  ’nat’
       part  of  that  rule will cause all connection requests for TCP port 80
       arriving on interface ppp+ (including ppp0!) to have their  destination
       port  rewritten  to 3128. Hence, the web server running in the DMZ will
       be inaccessible from the web.

       The above problem can be corrected in several of ways.

       The best way is to use the ifname pppd option to set the net  interface
       to something other than ppp0. That way, the ’net’ interface won’t match
       ppp+.

       A second way is to rewrite the DNAT rule (assume that the local zone is
       entirely within 192.168.2.0/23):

               #ACTION     SOURCE                 DEST      PROTO      DEST
               #                                                       PORT(S)
               ACCEPT      net                    dmz       tcp        80
               REDIRECT    loc:192.168.2.0/23     3128      tcp        80

       A  third  way is to exclude ppp0 from DNAT/REDIRECT as a consequence of
       it being in the ’loc’ zone.

       /etc/shorewall/rules:

               #ACTION     SOURCE               DEST      PROTO        DEST
               #                                                       PORT(S)
               ACCEPT      net                  dmz       tcp          80
               NONAT       loc:ppp0             fw
               REDIRECT    loc                  3128      tcp          80

       A fourth way is to restrict the definition of the loc zone:

       /etc/shorewall/interfaces:

               #ZONE    INTERFACE      BROADCAST        OPTIONS
               net      ppp0
               loc      eth1
               -        ppp+
               dmz      eth2

       /etc/shorewall/hosts:

               #ZONE    HOST(S)             OPTIONS
               loc      ppp+:192.168.2.0/23

FILES

       /etc/shorewall/zones

       /etc/shorewall/interfaces

       /etc/shorewall/hosts

       /etc/shorewall/policy

       /etc/shorewall/rules

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),      shorewall-params(5),     shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_rules(5),      shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),   shorewall-tcclasses(5),    shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),
       shorewall-zones(5)

                                 24 June 2008             shorewall-nesting(5)