RE: [Shorewall-users] Nested zone problem

[Greg <itd...@co...>]

The order of the entries in the hosts file is significant if one is a
subzone of the other. In other words, list the subzone first.

hosts file:
svr             eth0:192.168.2.54
loc             eth0:192.168.2.0/24



-----Original Message-----
From: sho...@li...
[mailto:sho...@li...]On Behalf Of Ross
Parker
Sent: Friday, April 04, 2003 5:07 PM
To: sho...@li...
Subject: [Shorewall-users] Nested zone problem


Hi,

I'm evaluating Shorewall (looks excellent so far!), but have run into a
problem I can't quite figure...

I'm getting inconsistent results when trying to use a nested zone. I
have a three-zone setup with loc (internal), dmz and net (external)
zones. I want to have one system on my internal net as an admin server
with the ability to pass email & DNS traffic to my DMZ. I'm putting this
server (by itself) in a zone called 'svr' which is nested in zone 'loc'.

With the rules I have set up, as far as I can tell, systems in the 'loc'
zone that are NOT in the 'svr' zone should not get through for this
traffic. The 'loc' zone host I'm using to test is named 'carrera' (the
'svr' zone host is not relevent - it works regardless of what I do).

My test is as follows (all done on 'carrera', the 'loc' zone host),
starting with the firewall turned OFF.

- issue a 'dig' to query the nameserver (on the DMZ, IP 192.168.1.2)

  dig @192.168.1.2 ns1.octigabay.com a

  this succeeds.

- issue a 'shorewall start' command on the firewall.

- re-issue the 'dig' command as above. This FAILS as it should (the
firewall rules should permit only the host in the 'svr' zone to get
through)

- issue a 'shorewall stop' command on the firewall.

- re-issue the 'dig' command. It succeeds.

- issue a 'shorewall start' command on the firewall.

- re-issue the 'dig' command. It SUCCEEDS!! It should not as far as I
can tell!

- issue a 'shorewall stop' command, wait a while (5 minutes?) try again,
the scenario repeats itself.

Running tcpdump on the firewall and on the DNS server in the dmz
verifies that the packets are getting through and are not coming from
some unexpected spot.

I have no resolver set up on the host I'm trying the queries from, nor
do I have one set up on the firewall.



My 'interfaces' file:

-       eth0            detect
dmz     eth1            detect          dropunclean,tcpflags
net     eth2            detect          norfc1918,dropunclean,tcpflags

My 'zones' file:

svr     Server          Internal Server
net     Net             Internet
loc     Local           Local Networks
dmz     DMZ             Demilitarized Zone

My 'hosts' file:

loc             eth0:192.168.2.0/24
svr             eth0:192.168.2.54

My 'policy' file:

svr             all             CONTINUE
loc		dmz		REJECT
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

My 'rules' file:

ACCEPT  loc     fw      tcp     22
ACCEPT  loc     dmz     tcp     22
ACCEPT  svr     dmz     tcp     53
ACCEPT  svr     dmz     udp     53
ACCEPT  loc     fw      icmp    8
ACCEPT  fw      loc     icmp    8
ACCEPT  dmz     fw      icmp    8
ACCEPT  fw      dmz     icmp    8
ACCEPT  loc     dmz     icmp    8
ACCEPT  dmz     net     icmp    8
ACCEPT  svr     dmz     tcp     25
ACCEPT  dmz     svr     tcp     25
ACCEPT  dmz     net     tcp     25
ACCEPT  net     dmz     tcp     25

My 'routestopped' file:

eth0            -
eth1            -


Any ideas, anyone? This is stumping me...

Cheers,

Ross
--
Ross Parker
OctigaBay Systems Corp.

phone: 604-415-9379 x5453
cell:  604-817-3500

_______________________________________________
Shorewall-users mailing list
Post: Sho...@li...
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm