[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [iptables] Zone based rules

Le mardi 09 avril 2013 à 21:26 +0200, Bastian Blank a écrit :
> On Tue, Apr 09, 2013 at 05:41:39PM +0200, Jimmy Thrasibule wrote:
> > I've got a Linux box sitting between different local networks. I'd like
> > to set up access policies between each network so I though about a zone
> > based firewall.
> > Each zone is responsible of its incoming and outgoing traffic. However
> > this role is played by the same box and if a packet is accepted by a
> > zone, it cannot be denied by another zone.
> Could you explain the theory behind this concept?

I was thinking that it would simplify the set of rules if I divide it
between each interface. I would be like having one firewall for each
network (zone) but on the same machine.

One zone (in fact an interface on the box) would apply its own policy on
traffic coming in and out from it independently from other zones. This
would duplicate rules when talking between zones (ingress rule for a
zone should be duplicated as an egress rule in the other zone) but you
just have to go to the zone of your interest when you want to add on
remove a rule.

It would be like maintaining multiple firewalls for each network.

> I prefer to specify the allowed stuff depending on egress first and
> ingress second, it is pretty easy to understand.

That's what I do usually but this bow sits between many network and
therefore has many interfaces. I

> Also you want to use ferm for iptables-based packet filters.

ferm looks good, I'll take a look.

> Don't mix definitions for ingress and egress traffic. You will allow
> spoofed traffic.

True, but I wanted to have only one entry point for each zone. It would
be better to split ingress and egress.

> >   # Marketing allows any outgoing traffic.
> Now you accepted ssh to the servers.

Yep and that's the problem. But using RETURN instead on ACCEPT can be a
solution indeed.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: