<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Whitelisting Under Shorewall</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="whitelisting_under_shorewall"></a>Whitelisting Under Shorewall</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div><div><p class="copyright">Copyright © 2002-2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id269270"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="copyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><p>White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:</p><div class="itemizedlist"><ul type="bullet" compact="compact"><li style="list-style-type: disc"><p>A firewall with three interfaces -- one to the Internet, one to a local network and one to a <acronym class="acronym">DMZ</acronym>.</p></li><li style="list-style-type: disc"><p>The local network uses <acronym class="acronym">SNAT</acronym> to the Internet and is comprised of the Class B network <code class="literal">10.10.0.0/16</code> (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on <acronym class="acronym">SNAT</acronym>. It may be used with Proxy <acronym class="acronym">ARP</acronym>, Subnet Routing, Static NAT, etc.).</p></li><li style="list-style-type: disc"><p>The network operations staff have workstations with IP addresses in the Class C network <code class="literal">10.10.10.0/24</code>.</p></li><li style="list-style-type: disc"><p>We want the network operations staff to have full access to all other hosts.</p></li><li style="list-style-type: disc"><p>We want the network operations staff to bypass the transparent <acronym class="acronym">HTTP</acronym> proxy running on our firewall.</p></li></ul></div><p>The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files:</p><h5><a id="id257387"></a>Zone File</h5><pre class="programlisting">#ZONE TYPE OPTIONS fw firewall net ipv4 ops ipv4 loc ipv4 dmz ipv4</pre><p>The <code class="literal">ops</code> zone has been added to the standard 3-zone zones file -- since <code class="literal">ops</code> is a sub-zone of <code class="literal">loc</code>, we list it <span class="emphasis"><em>BEFORE</em></span> <code class="literal">loc</code>.</p><h5><a id="id257948"></a>Interfaces File</h5><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS net eth0 <whatever> ... dmz eth1 <whatever> ... - eth2 10.10.255.255</pre><p>Because <code class="literal">eth2</code> interfaces to two zones (<code class="literal">ops</code> and <code class="literal">loc</code>), we don't specify a zone for it here.</p><h5><a id="id257986"></a>Hosts File</h5><pre class="programlisting">#ZONE HOST(S) OPTIONS ops eth2:10.10.10.0/24 loc eth2:0.0.0.0/0</pre><p>Here we define the <code class="literal">ops</code> and <code class="literal">loc</code> zones. When Shorewall is stopped, only the hosts in the <code class="literal">ops</code> zone will be allowed to access the firewall and the <acronym class="acronym">DMZ</acronym>. I use <code class="literal">0.0.0.0/0</code> to define the <code class="literal">loc</code> zone rather than <code class="literal">10.10.0.0/16</code> so that the limited broadcast address (<code class="literal">255.255.255.255</code>) falls into that zone. If I used <code class="literal">10.10.0.0/16</code> then I would have to have a separate entry for that special address.</p><h5><a id="id258276"></a>Policy File</h5><pre class="programlisting">#SOURCE DEST POLICY LOG LEVEL <span class="bold"><strong>ops all ACCEPT all ops CONTINUE</strong></span> loc net ACCEPT net all DROP info all all REJECT info</pre><p>Two entries for <code class="literal">ops</code> (in bold) have been added to the standard 3-zone policy file.</p><h5><a id="id258306"></a>Rules File</h5><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST REDIRECT loc!ops 3128 tcp http</pre><p>This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The <span class="bold"><strong>SOURCE</strong></span> column explicitly excludes the <code class="literal">ops</code> zone from the rule.</p><h5><a id="id258337"></a>Routestopped File</h5><pre class="programlisting">#INTERFACE HOST(S) OPTIONS eth1 eth2 10.10.10.0/24</pre></div></body></html>