RuggedCom RX1100, RX1000 manual Hosts, Policy

Chapter 11 – Configuring The Firewall

Note: In order to improve security the router will create a zone “unusd” and unused interfaces to this zone when Shorewall starts. A policy is also installed that blocks access from “unusd” to all other zones.

Interfaces are defined in the file /etc/shorewall/interfaces and are modified from the Network Interfaces menu.

Hosts

Shorewall hosts are used to assign zones to individual hosts or subnets, on an interface which handles multiple subnets. This allows the firewall to manage traffic being forwarded back out the interface it arrived on, but destined for another subnet. This is often useful for VPN setups to handle the VPN traffic separately from the other traffic on the interface which carries the VPN traffic. An example follows:

Interfaces are defined in the file /etc/shorewall/hosts and are modified from the Network Hosts menu.

Policy

Shorewall policies are the default actions for connection establishment between different firewall zones. Each policy is of the form:

You can define a policy from each zone to each other. You may also use a wildcard zone of “all” to represent all zones.

The default action describes how to handle the connection request. There are six types of actions: ACCEPT, DROP, REJECT, QUEUE, CONTINUE and NONE. The first three are the most widely used and are described here.

When the ACCEPT policy is used, a connection is allowed. When the DROP policy is used, a request is simply ignored. No notification is made to the requesting client. When the REJECT policy is used, a request is rejected with an TCP RST or an ICMP destination-unreachable packet being returned to the client.

An example should illustrate the use of policies.

The above policies will:

∙Allow connection requests only from your local network to the Internet. If you wanted to allow requests from a console on the RuggedRouter to Internet you would need to add a policy of ACCEPT fw zone to net zone.

∙Drop (ignore) all connection requests from the Internet to your firewall or local network, and

∙Reject all other connection requests.