Shorewall terminology and concepts, Zones, Interfaces – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

121

RX1000/RX1100™

11. Activate the firewall. It is usually a good idea to port scan the firewall after activation and verify

that logging is functioning.

14.4. ShoreWall Terminology And Concepts

This section provides background on various Shorewall terms and concepts. References are made
to the section where configuration applies.

14.4.1. Zones

A network zone is a collection of interfaces, for which forwarding decisions are made, for example:

Name

Description

net

The Internet

loc

Your Local Network

dmz

Demilitarized Zone

fw

The firewall itself

vpn1

IPSec connections on w1ppp

vpn2

IPSec connections on w2ppp

You may create new zones if you wish. For example if all of your Ethernet interfaces are part of the
local network zone, disallowing traffic from the Internet zone to the local zone will disallow it to all
Ethernet interfaces. If you wanted some interfaces (but not others) to access the Internet, you could
create another zone.

Zones are defined in the file /etc/shorewall/zones and are modified from the Network Zones menu.

14.4.2. Interfaces

Shorewall Interfaces are simply the Ethernet and WAN interfaces available to the router. You must
place each interface into a network zone.

If an interface supports more than one subnet, place the interface in zone 'Any' and use the zone
hosts setup (see below) to define a zone for each subnet on the interface.

An example follows:

Interface

Zone

eth1

loc

eth2

loc

eth3

Any

eth4

dmz

w1ppp

net

Note

In order to improve security the router will create a zone “unusd” and unused interfaces to this zone
when Shorewall starts. A policy is also installed that blocks access from “unusd” to all other zones.