<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Whitelisting Under Shorewall</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="whitelisting_under_shorewall"></a>Whitelisting Under Shorewall</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div><div><p class="copyright">Copyright © 2002-2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id269270"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="copyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><p>White lists are most often used to give special privileges to a set of
hosts within an organization. Let us suppose that we have the following
environment:</p><div class="itemizedlist"><ul type="bullet" compact="compact"><li style="list-style-type: disc"><p>A firewall with three interfaces -- one to the Internet, one to a
local network and one to a <acronym class="acronym">DMZ</acronym>.</p></li><li style="list-style-type: disc"><p>The local network uses <acronym class="acronym">SNAT</acronym> to the Internet and
is comprised of the Class B network <code class="literal">10.10.0.0/16</code>
(Note: While this example uses an RFC 1918 local network, the technique
described here in no way depends on that or on <acronym class="acronym">SNAT</acronym>.
It may be used with Proxy <acronym class="acronym">ARP</acronym>, Subnet Routing, Static
NAT, etc.).</p></li><li style="list-style-type: disc"><p>The network operations staff have workstations with IP addresses
in the Class C network <code class="literal">10.10.10.0/24</code>.</p></li><li style="list-style-type: disc"><p>We want the network operations staff to have full access to all
other hosts.</p></li><li style="list-style-type: disc"><p>We want the network operations staff to bypass the transparent
<acronym class="acronym">HTTP</acronym> proxy running on our firewall.</p></li></ul></div><p>The basic approach will be that we will place the operations staff's
class C in its own zone called ops. Here are the appropriate configuration
files:</p><h5><a id="id257387"></a>Zone File</h5><pre class="programlisting">#ZONE TYPE OPTIONS
fw firewall
net ipv4
ops ipv4
loc ipv4
dmz ipv4</pre><p>The <code class="literal">ops</code> zone has been added to the standard 3-zone
zones file -- since <code class="literal">ops</code> is a sub-zone of
<code class="literal">loc</code>, we list it <span class="emphasis"><em>BEFORE</em></span>
<code class="literal">loc</code>.</p><h5><a id="id257948"></a>Interfaces File</h5><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
net eth0 <whatever> ...
dmz eth1 <whatever> ...
- eth2 10.10.255.255</pre><p>Because <code class="literal">eth2</code> interfaces to two zones
(<code class="literal">ops</code> and <code class="literal">loc</code>), we don't specify a zone
for it here.</p><h5><a id="id257986"></a>Hosts File</h5><pre class="programlisting">#ZONE HOST(S) OPTIONS
ops eth2:10.10.10.0/24
loc eth2:0.0.0.0/0</pre><p>Here we define the <code class="literal">ops</code> and <code class="literal">loc</code>
zones. When Shorewall is stopped, only the hosts in the
<code class="literal">ops</code> zone will be allowed to access the firewall and the
<acronym class="acronym">DMZ</acronym>. I use <code class="literal">0.0.0.0/0</code> to define the
<code class="literal">loc</code> zone rather than <code class="literal">10.10.0.0/16</code> so
that the limited broadcast address (<code class="literal">255.255.255.255</code>)
falls into that zone. If I used <code class="literal">10.10.0.0/16</code> then I would
have to have a separate entry for that special address.</p><h5><a id="id258276"></a>Policy File</h5><pre class="programlisting">#SOURCE DEST POLICY LOG LEVEL
<span class="bold"><strong>ops all ACCEPT
all ops CONTINUE</strong></span>
loc net ACCEPT
net all DROP info
all all REJECT info</pre><p>Two entries for <code class="literal">ops</code> (in bold) have been added to
the standard 3-zone policy file.</p><h5><a id="id258306"></a>Rules File</h5><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST
REDIRECT loc!ops 3128 tcp http</pre><p>This is the rule that transparently redirects web traffic to the
transparent proxy running on the firewall. The <span class="bold"><strong>SOURCE</strong></span> column explicitly excludes the
<code class="literal">ops</code> zone from the rule.</p><h5><a id="id258337"></a>Routestopped File</h5><pre class="programlisting">#INTERFACE HOST(S) OPTIONS
eth1
eth2 10.10.10.0/24</pre></div></body></html>
