Le mardi 09 avril 2013 à 21:26 +0200, Bastian Blank a écrit : > On Tue, Apr 09, 2013 at 05:41:39PM +0200, Jimmy Thrasibule wrote: > > I've got a Linux box sitting between different local networks. I'd like > > to set up access policies between each network so I though about a zone > > based firewall. > > Each zone is responsible of its incoming and outgoing traffic. However > > this role is played by the same box and if a packet is accepted by a > > zone, it cannot be denied by another zone. > > Could you explain the theory behind this concept? I was thinking that it would simplify the set of rules if I divide it between each interface. I would be like having one firewall for each network (zone) but on the same machine. One zone (in fact an interface on the box) would apply its own policy on traffic coming in and out from it independently from other zones. This would duplicate rules when talking between zones (ingress rule for a zone should be duplicated as an egress rule in the other zone) but you just have to go to the zone of your interest when you want to add on remove a rule. It would be like maintaining multiple firewalls for each network. > I prefer to specify the allowed stuff depending on egress first and > ingress second, it is pretty easy to understand. That's what I do usually but this bow sits between many network and therefore has many interfaces. I > Also you want to use ferm for iptables-based packet filters. ferm looks good, I'll take a look. > Don't mix definitions for ingress and egress traffic. You will allow > spoofed traffic. True, but I wanted to have only one entry point for each zone. It would be better to split ingress and egress. > > # Marketing allows any outgoing traffic. > > -A MRKT_OUT -j ACCEPT > > Now you accepted ssh to the servers. Yep and that's the problem. But using RETURN instead on ACCEPT can be a solution indeed. -- Jimmy
Attachment:
signature.asc
Description: This is a digitally signed message part