[Shorewall-users] Re: Shorewall Question - "$FW" vs "fw", "all" vs "net"?

Discussion:

Tom Eastep

2006-05-14 14:23:44 UTC

Permalink

Hi Mr. Eastep.

In the future, please direct your Shorewall questions to the Shorewall

I've managed to configure Shorewall, on one of our
router/firewalls. The firewall seems to be working.

Hopefully you followed the instructions in the HOWTOs at
http://www.shorewall.net/shorewall_quickstart_guide.htm.

However, I have four questions, I was wondering if you
might answer?
What is the difference between "$FW" and "fw"?

$FW expands the shell variable FW to produce its value. The normal value
of FW is 'fw'. So provided that you defined the firewall zone to be
'fw', there is no difference. (You failed to mention which version of
Shorewall that you installed so I can't be more specific -- FW is
defined differently in Shorewall 3.0 and later vs. earlier versions).

What is the difference between "all" and "net"?

'all' means ALL ZONES defined in /etc/shorewall/zones (including $FW).
'net' means the zone with the name 'net'.

ethN:M, i.e. eth0:0?

Please see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html.

How can I determine the ip addresses that are mapped
to "$FW" or "fw"?

Use the command 'ip addr ls'. All IPV4 addresses displayed will be
mapped to the firewall zone.

-Tom

--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2006-05-14 19:47:37 UTC

Permalink

Post by Tom Eastep

Post by Tom Eastep
In the future, please direct your Shorewall

questions to the Shorewall
I will do so.

The future is now!

Post by Tom Eastep

Post by Tom Eastep
Hopefully you followed the instructions in the HOWTOs at
http://www.shorewall.net/shorewall_quickstart_guide.htm.

Yes, the quickstart_guide, and the config files as
well as your recipies. I've just gone back and read
the faqs, and the multiple interfaces document you
suggested.
In the zones file, "net" takes on the value "ipv4", as
per the shorewall/zones example. When, I leave "net"
unspecified in the host file, it appears to behave as
"all", however, I notice that some external addresses
are mapped to loc2all, or fw2all.

99% of Shorewall users have no entries in the /etc/shorewall/hosts file
so I don't understand what you mean by "appears to behave as 'all'".
Please elaborate.

So, I guess I'm

Post by Tom Eastep
having trouble understanding the relationship between
ipv4 and the shorewall/hosts.

There is none. Entries in /etc/shorewall/zones *declare* zone names and
associate them with a type of zone (net, firewall, or ipv4). THAT IS ALL
THAT THESE ENTRIES DO. The definition of the hosts included in the zone
is done in /etc/shorewall/interfaces and in /etc/shorewall/hosts. When
you associate a zone name with an interface name in
/etc/shorewall/interfaces, that means that the zone consists of all
hosts that communicate with the firewall through that device.

I've changed the wording in the Introduction to Shorewall
(http://www1.shorewall.net/Introduction.html) in an effort to make the
distinction between declaring zones (/etc/shorewall/zones) and defining
their contents (/etc/shorewall/interfaces and /etc/shorewall/hosts).
Hope that helps.

If, I want "net" to

Post by Tom Eastep
refer to external addresses (not rfc1918, not
127.0.0.0/8 or 169.254.0.0/16) what should I assign to
"net" in the shorewall/hosts file?

As stated at the top of the /etc/shorewall/hosts file, the *only* time
that you need to use entries in that file is when you have more than one
zone defined through a particular interface.

-Tom

--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2006-05-15 12:04:11 UTC

Permalink

Can the future be now instead. No more I promise.

If you would post to the list, other people could help me try to clear
up your confusion. Since you refuse to do that, you are wasting both my
time and yours.

When used in shorewall/policies and shorewall/rules
"all" maps to all valid IP address, or all possible IP
addresses, I'm not sure which.

I'm going to tell you ONE MORE TIME -- "all" means "all zones".

When the zone "net" is
specified as ipv4 in shorewall/zones, and used in
shorewall/rules, without modification in
shorewall/hosts the zone "net" also maps to all valid
IP addresses.

'net' is just an identifier. You could call it 'foo' and it would be no
different. If you have these entries in /etc/shorewall/interfaces:

net eth0
loc eth1

Then 'net' consists of all non-IPSEC IPv4 hosts *accessed through eth0*.
It does not include any hosts accessed through eth1 nor does it include
the firewall itself. 'all' means all non-IPSEC IPv4 hosts accessed
through eth0 plus all non-IPSEC IPv4 hosts accessed through eth1 plus
the firewall itself.

-Tom

--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key