Whitelisting Under Shorewall

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2007/07/19


White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:

The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files:

Zone File
#ZONE      TYPE          OPTIONS
fw         firewall
net        ipv4
ops        ipv4
loc        ipv4
dmz        ipv4

The ops zone has been added to the standard 3-zone zones file -- since ops is a sub-zone of loc, we list it BEFORE loc.

Interfaces File
#ZONE      INTERFACE        BROACAST        OPTIONS
net        eth0             <whatever>      ...
dmz        eth1             <whatever>      ...
-          eth2             10.10.255.255

Because eth2 interfaces to two zones (ops and loc), we don't specify a zone for it here.

Hosts File
#ZONE      HOST(S)                OPTIONS
ops        eth2:10.10.10.0/24
loc        eth2:0.0.0.0/0

Here we define the ops and loc zones. When Shorewall is stopped, only the hosts in the ops zone will be allowed to access the firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for that special address.

Policy File
#SOURCE          DEST         POLICY         LOG LEVEL
ops              all          ACCEPT
all              ops          CONTINUE
loc              net          ACCEPT
net              all          DROP           info
all              all          REJECT         info

Two entries for ops (in bold) have been added to the standard 3-zone policy file.

Rules File
#ACTION   SOURCE      DEST        PROTO        DEST PORT(S)     SOURCE PORTS(S)    ORIGINAL DEST
REDIRECT  loc!ops     3128        tcp          http

This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The SOURCE column explicitly excludes the ops zone from the rule.

Routestopped File
#INTERFACE          HOST(S)           OPTIONS
eth1
eth2                10.10.10.0/24