Whitelisting Under Shorewall

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2016/02/16


White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:

  • A firewall with three interfaces -- one to the Internet, one to a local network and one to a DMZ.

  • The local network uses SNAT to the Internet and is comprised of the Class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).

  • The network operations staff have workstations with IP addresses in the Class C network 10.10.10.0/24.

  • We want the network operations staff to have full access to all other hosts.

  • We want the network operations staff to bypass the transparent HTTP proxy running on our firewall.

The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files:

Zone File
#ZONE      TYPE          OPTIONS
fw         firewall
net        ipv4
ops        ipv4
loc        ipv4
dmz        ipv4

The ops zone has been added to the standard 3-zone zones file -- since ops is a sub-zone of loc, we list it BEFORE loc.

Interfaces File
#ZONE      INTERFACE        BROADCAST        OPTIONS
net        eth0             <whatever>      ...
dmz        eth1             <whatever>      ...
-          eth2             10.10.255.255

Because eth2 interfaces to two zones (ops and loc), we don't specify a zone for it here.

Hosts File
#ZONE      HOST(S)                OPTIONS
ops        eth2:10.10.10.0/24
loc        eth2:0.0.0.0/0

Here we define the ops and loc zones. When Shorewall is stopped, only the hosts in the ops zone will be allowed to access the firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for that special address.

Policy File
#SOURCE          DEST         POLICY         LOG LEVEL
ops              all          ACCEPT
all              ops          CONTINUE
loc              net          ACCEPT
net              all          DROP           info
all              all          REJECT         info

Two entries for ops (in bold) have been added to the standard 3-zone policy file.

Rules File
#ACTION   SOURCE      DEST        PROTO        DEST PORT(S)     SOURCE PORTS(S)    ORIGINAL DEST
REDIRECT  loc!ops     3128        tcp          http

This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The SOURCE column explicitly excludes the ops zone from the rule.

Routestopped File
#INTERFACE          HOST(S)           OPTIONS
eth1
eth2                10.10.10.0/24

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation


Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page