Menu
▾
▴
Re: [Shorewall-devel] Idea: permit /etc/shorewall/masq to contain zones, as well as interfaces
|
From: Richard N. <rn...@he...> - 2005-01-25 04:03:46
|
Dear Tom,
Thanks for your email,
Tom Eastep wrote:
> Hello Richard,
>
> Richard wrote:
>
>
>>Firstly, thank you very much - shorewall is great.
>
>
> You're welcome. I'm glad that you find it useful.
>
>
>>I'm not a member of
>>this list, and please forgive me if I am suggesting something stupid,
>>but the following occurs to me, and I thought it might be useful.
>>
>>Why no make it possible to specify zones as well as interfaces in the
>>/etc/shorewall/masq file ?
>>
>>Eg: instead of:
>>
>> eth0 eth1
>>
>>one might write:
>>
>> net loc (or masq in Mandrake).
>>
>>
>>A reason this would be useful is for backup internet connectivity.
>>
>>Eg: local network on eth1, masqueraded. ADSL modem on eth0. Backup dialup
>>modem on ppp0. ppp0 and eth0 are both part of the net zone (in
>>/etc/shorewall/zones); usually only one of the interfaces is working.
>>
>>Here is my /etc/shorewall/masq file. The result works fine, but I think
>>it seems kludgy.
>
>
> What seems kludgy about it?
It seems a bit odd - Shorewall's paradigm seemed to me to be about
routing traffic from one zone to another, rather than from one interface
to another. I wondered where exactly the packets would go, if they had
two alternative destinations.
>
>
>>It's also unclear what might happen if both eth0 and
>>ppp0 were up at the same time.
>>
>
>
> It would work fine -- see Shorewall FAQ 32.
Thanks. Sorry, I didn't have net access at the time I was setting it up,
and was relying only on the comments in the /etc/shorewall/masq file.
Perhaps this is an example worthy of inclusion?
>
>
>>-----------------------------------
>>#Normally, we want to use eth0 (ADSL) for internet access
>>#But in emergencies, use ppp0 instead.
>>eth0 eth1
>>ppp0 eth1
>>------------------------------------
>>
>>
>>[I'm using shorewall-2.0.8-1mdk on Mandrake 10.1. I hope this is useful
>>rather than daft!]
>>
>
>
> Thank you for the suggestion. I'm inclined, however, to reject it on two
> grounds:
>
> 1. In Shorewall, Zones are defined based on security requirements
> whereas Masquerading/SNAT is defined based on routing deficiencies
> (including the use of RFC 1918 addresses which are not
> internet-routable). So while the requirements for using MASQ/SNAT may
> coincide with firewall security requirements in a particular case, there
> is no reason that they should coincide in general.
This makes sense - thank you for the explanation. However, perhaps using
a zone could be parsed correctly in those situation where it is meaningful.
>
> 2. It is not possible to use zone definitions directly in setting up
> MASQ/SNAT rules. That is becuase zone definitions are typically tied to
> interfaces and rules in the POSTROUTING chain (where MASQ/SNAT is
> specified) cannot be qualified by source interface. So when you write
>
> eth0 eth1
>
> in /etc/shorewall/masq, what Shorewall generates is:
>
> for each route out of eth1
> eth0 <target of the route>
>
> That's why the interface ("eth1" in this case) must be up and running
> when Shorewall starts and also why people get messed up if there are
> hosts connected to eth1 that are managed by Proxy ARP or when they have
> asymmetric routing.
So, why does this work if I bring up ppp0 after shorewall has started?
The following sequence works:
start eth0
start shorewall
stop eth0
start ppp0.
>
> Suppose that zone Z is based on these two /etc/shorewall/hosts entries:
>
> Z eth1:0.0.0.0/0
> Z eth2:192.168.4.9
>
> In that case, Shorewall can't configure Netfilter to match this
> /etc/shorewall/entry:
>
> eth0 Z
>
> Do you see why? (hint: consider traffic from 192l.168.4.9 arriving on
> eth3). Then you also see that although Shorewall allows it, even this
> entry cannot be matched exactly:
>
> eth0 eth1
>
> I let myself get talked into allowing interface names in the SUBNET
> column of /etc/shorewall/masq entries and I mildly regret it; I'm not
> inclined to compound the problem by allowing zone names as well.
>
> -Tom
I see!
Perhaps it might be worth adding a sentence like the following (but
better written!) into /etc/shorewall/masq, to prevent against this sort
of confusion:
---------
# Example 6:
#
# You want all traffic from the local zone to be masqueraded
# and sent out to the net zone. In this case, it is necessary
# to specify interfaces rather than zones, but it is OK to
# have more than one destination. Eg eth1 is the internal network; #
eth0 and/or ppp0 are connected to the Internet. For example,
# a DSL internet connection with a dialup system for backup.
#
# eth0 eth1
# ppp0 eth1
#
---------
Best wishes
Richard
|
