How to split a zone in sub zones

Da Purple s.r.l..

Contents
1 2 3 4 Preface Isolating two interface in the same zone How to block a specic network VLAN in order to not be able to use another ip address Conclusions

Preface
Normally Endian Firewall put in a bridge of all the interfaces with in the same zone, this happens with virtual interfaces (VLAN) as well. For example br0 (green) may contain eth0, eth1 and those devices you choose as belonging to green zone. For many reasons you may want to split a zone in additional sub-zones that don't see each other. For structure limit you can't remove a interface from a bridge but you have to make a small hack, you will have a not bridged bridge. You can create a new zone with the help of interzone rewall rules you will see below how to do.

Isolating two interface in the same zone

Create block rules from interface1 to interface2 and vice versa. Create all the allow rules you need, be careful these rules must be kept over the block rules Best option is to select the ETHER service so that the rules are at layer 2 Below two examples of conguration, the rst one is useful to test the environment because allows ping.

Below a conguration which allows only http protocol from interface 1 to interface 2.

How to block a specic network VLAN in order to not be able to use another ip address
!/bin/sh Used for private firewall rules See how we were called. case "$1" in start) * add your 'start' rules here

''' Rules to bind a subnet to an interface/vlan ''' * VLAN 201 iptables iptables * VLAN 202 iptables iptables * VLAN 203 iptables iptables

-A CUSTOMFORWARD -s 10.10.201.0/24 -m physdev --physdev-in eth5.201 -d 0/0 -j RETURN -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.201 -d 0/0 -j DROP -A CUSTOMFORWARD -s 10.10.202.0/24 -m physdev --physdev-in eth5.202 -d 0/0 -j RETURN -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.202 -d 0/0 -j DROP -A CUSTOMFORWARD -s 10.10.203.0/24 -m physdev --physdev-in eth5.203 -d 0/0 -j RETURN -A CUSTOMFORWARD -s 0/0 -m physdev --physdev-in eth5.203 -d 0/0 -j DROP

''' Add rules to forbid traffic destinated to the firewall (proxies, management, ecc) ''' * VLAN 201 iptables iptables * VLAN 202 iptables iptables * VLAN 203 iptables iptables

-A CUSTOMINPUT -s 10.10.201.0/24 -m physdev --physdev-in eth5.201 -d 0/0 -j RETURN -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.201 -d 0/0 -j DROP -A CUSTOMINPUT -s 10.10.202.0/24 -m physdev --physdev-in eth5.202 -d 0/0 -j RETURN -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.202 -d 0/0 -j DROP -A CUSTOMINPUT -s 10.10.203.0/24 -m physdev --physdev-in eth5.203 -d 0/0 -j RETURN -A CUSTOMINPUT -s 0/0 -m physdev --physdev-in eth5.203 -d 0/0 -j DROP

;; stop) * add your 'stop' rules here * Flushes custom chains iptables -F CUSTOMFORWARD iptables -F CUSTOMINPUT ;; reload) * add your 'reload' rules here ;; *) echo "Usage: $0 {start|reload|stop}" esac