Firewall rules priority?

deft · May 22, 2015, 10:09am

My network scheme

If i set httpd-admin (NethServer web interface) to “Access only from green networks”, connection from 10.64.0.0 is work. If i set:

Connection from 10.64.218.103 works too.
And in shorewall’s rules i see

Why 10.64.218.103 isn’t blocked and refers to the NET and not to LOC.
Sorry for my english.

filippo_carletti · May 22, 2015, 1:33pm

You need to add a zone firewall object, with ip 10.64.0.0/16 and device eth1.

deft · May 25, 2015, 9:56am

Thank you, Filippo. I add zone. But now connections from subnet 10.64.0.0/16 is blocked. Only if i set ip from subnet 10.64.0.0 in “Allow hosts” i can connect. My zone connected to eth1, but not GREEN.
And why if i create rule:

where Host zsm - 10.64.218.103, i can connect to FW (allow hosts is clear).
But if i create:

where fw_green - firewall’s GREEN interface address, my connection is blocked?

filippo_carletti · May 25, 2015, 10:51am

Firewall rules don’t allow control on traffic for the firewall itself, now. You need to use the Network services page.
I think this is confusing, we probably will extend the fiewall rules editor to handle traffic for the firewall itself.
We are open to suggestions.

deft · May 25, 2015, 5:05pm

But why my zone 10.64.0.0/16, assigned to eth1, not GREEN? It’s normal?

filippo_carletti · May 26, 2015, 7:35am

I’m sorry, but I can’t understand your question.
Your green is 192.168.64.0/24 and 10.64.0.0/16 is a network behind a router. Using a zone you tell shorewall that it is connected to the green. By default nethserver assumes that all external network are connected to the red.
I’m not sure that this is a limit of nethserver, do you have an example of a different configuration?

deft · May 26, 2015, 8:07am

Filippo, if i assign zone 10.64.0.0/16 to eth1 and set httpd-admin (NethServer web interface) to “Access only from green networks” it block connections from 10.64.0.0/16 to httpd-admin. But eth1 is green. May be i misunderstand something…

filippo_carletti · May 26, 2015, 8:27am

10.64.0.0 is not green, is connected to green through a router.

deft · May 26, 2015, 9:09am

Thank you. I thought, that all zones, assigned to local interface, must be green by default.

filippo_carletti · May 26, 2015, 9:12am

You can have multiple green, but those need to be connected directly to a network interface.
I have to think about your idea, maybe it’s possible to define as green networks connected through routers.

deft · May 26, 2015, 11:01am

Better manually define color of zone or optionally leave zone without color.