Network zone is a list of a few directions grouped together and named by the own name. Direction can be defined by a combination of interface name and IP address delimited by space.
Direction defined by the interface
eth0 any
Direction defined by the IP-address
any 192.168.0.0/16
Direction defined by the combination of both
eth0 192.168.15.0/24
eth+ 192.168.230.0/24
eth0 any any 192.168.0.0/16 eth0 192.168.15.0/24 eth+ 192.168.230.0/24
To define a new network zone you should place required directions into some file placed in the /etc/flex-fw/zones directory.The name of this file is the name of your zone.
After definition the zone's name can be used with from and to operators to define a filter. Use from to define incoming interfaces and source IPs from the specified zone, and use to to define outgoing interfaces and destination IPs from the specified zone.
allow forward from zoneLAN to zoneINET proto tcp dports 80,443
There are two files have to be placed into /etc/flex-fw/defines/zones directory: zoneLAN and zoneINET
The /etc/flex-fw/defines/zones/zoneLAN file can contain something like that:
eth0 192.168.1.0/24 eth1 192.168.2.0/24 tap+ any
And the /etc/flex-fw/zones/zoneINET file can be similar to:
ppp+ any wlan0 any
The result will be the same as the following:
allow forward in-if eth0 src 192.168.1.0/24 out-if ppp+ proto tcp dports 80,443 allow forward in-if eth0 src 192.168.1/24 out-if wlan0 proto tcp dports 80,443 allow forward in-if eth1 src 192.168.2/24 out-if ppp+ proto tcp dports 80,443 allow forward in-if eth1 src 192.168.2/24 out-if wlan0 proto tcp dports 80,443 allow forward in-if tap+ out-if ppp+ proto tcp dports 80,443 allow forward in-if tap+ out-if wlan0 proto tcp dports 80,443
Copyright (C) 2014 Vitalii Druzhinin
aka VitalShell