Network zones

Network zone is a list of a few directions grouped together and named by the own name. Direction can be defined by a combination of interface name and IP address delimited by space.

Example of directions

Direction defined by the interface

eth0 any

Direction defined by the IP-address

any 192.168.0.0/16

Direction defined by the combination of both

eth0 192.168.15.0/24
eth+ 192.168.230.0/24

Example of network zone

eth0 any
any 192.168.0.0/16
eth0 192.168.15.0/24
eth+ 192.168.230.0/24

To define a new network zone you should place required directions into some file placed in the /etc/flex-fw/zones directory.The name of this file is the name of your zone.

After definition the zone's name can be used with from and to operators to define a filter. Use from to define incoming interfaces and source IPs from the specified zone, and use to to define outgoing interfaces and destination IPs from the specified zone.

Example of usage

allow forward from zoneLAN to zoneINET proto tcp dports 80,443

There are two files have to be placed into /etc/flex-fw/defines/zones directory: zoneLAN and zoneINET

The /etc/flex-fw/defines/zones/zoneLAN file can contain something like that:

eth0 192.168.1.0/24
eth1 192.168.2.0/24
tap+ any

And the /etc/flex-fw/zones/zoneINET file can be similar to:

ppp+ any
wlan0 any

The result will be the same as the following:

allow forward in-if eth0 src 192.168.1.0/24 out-if ppp+ proto tcp dports 80,443
allow forward in-if eth0 src 192.168.1/24 out-if wlan0 proto tcp dports 80,443
allow forward in-if eth1 src 192.168.2/24 out-if ppp+ proto tcp dports 80,443
allow forward in-if eth1 src 192.168.2/24 out-if wlan0 proto tcp dports 80,443
allow forward in-if tap+ out-if ppp+ proto tcp dports 80,443
allow forward in-if tap+ out-if wlan0 proto tcp dports 80,443

Copyright (C) 2014 Vitalii Druzhinin
aka VitalShell