beautypg.com

Hosts, Policy, 122 14.4.4. policy – RuggedCom RuggedRouter RX1100 User Manual

Page 122

background image

14. Configuring The Firewall

Revision 1.14.3

122

RX1000/RX1100™

Interfaces are defined in the file /etc/shorewall/interfaces and are modified from the Network
Interfaces menu.

14.4.3. Hosts

Shorewall hosts are used to assign zones to individual hosts or subnets, on an interface which handles
multiple subnets. This allows the firewall to manage traffic being forwarded back out the interface it
arrived on, but destined for another subnet. This is often useful for VPN setups to handle the VPN
traffic separately from the other traffic on the interface which carries the VPN traffic. An example
follows:

Zone

Interface

IP Address or Network

local

eth3

10.0.0.0/8

guests

eth3

192.168.0.0/24

Interfaces are defined in the file /etc/shorewall/hosts and are modified from the Network Hosts menu.

14.4.4. Policy

Shorewall policies are the default actions for connection establishment between different firewall
zones. Each policy is of the form:

Source-zone Destination-zone Default-action

You can define a policy from each zone to each other. You may also use a wildcard zone of “all” to
represent all zones.

The default action describes how to handle the connection request. There are six types of actions:
ACCEPT, DROP, REJECT, QUEUE, CONTINUE and NONE. The first three are the most widely used
and are described here.

When the ACCEPT policy is used, a connection is allowed. When the DROP policy is used, a request
is simply ignored. No notification is made to the requesting client. When the REJECT policy is used,
a request is rejected with an TCP RST or an ICMP destination-unreachable packet being returned
to the client.

An example should illustrate the use of policies.

Source Zone

Destination Zone

Policy

loc

net

ACCEPT

net

all

DROP

all

all

REJECT

The above policies will:

• Allow connection requests only from your local network to the Internet. If you wanted to allow

requests from a console on the RuggedRouter to Internet you would need to add a policy of
ACCEPT fw zone to net zone.

• Drop (ignore) all connection requests from the Internet to your firewall or local network, and

See also other documents in the category RuggedCom Hardware: