6.2.1. Managing zones with ZMC

By default, ZMC defines a zone called internet on every site. The internet contains the 0.0.0.0 and the ::0 networks with the 0 subnet mask. This zone means any network: every IP address not belonging to any other zone belongs to the internet zone.

Note
Zorp uses the CIDR notation for subnetting.

Figure 6.1. Zones

The internet zone is typically used in firewall rules where one side of the connection cannot be defined more exactly.

Example 6.1. Using the Internet zone
The Internet zone identifies all external networks. To allow the internal users to visit all web pages, simply set the destination zone of the HTTP service to `Internet`. For details on creating services, see Section 6.4, Zorp services.

Zones are managed on the Site component in ZMC. The left side of the main workspace displays the zones defined on the site and their descriptions. IP networks that belong to the selected zone are displayed on the right side of the workspace.

Note
The Zorp ZMC component has a shortcut in its icon bar to the zone editor. The zone hierarchy applies to all firewalls of the site, therefore carefully consider every modification and its possible side-effects.

Use the control buttons to create, delete, or edit the zone definitions and the IP networks. Use the arrow icons to organize the zones into a hierarchy (see Section 6.2.3, Zone hierarchies for details).

If a zone is created, modified or deleted in a ZMC, the change is immediately visible in the zone lists of the same ZMC without committing the changes. If these changes to a zone or zones are committed, the changes become visible in the zone information of other ZMCs as well.

Example 6.2. Subnetting

Example 6.2. Subnetting
Suppose you have the following IP address range to put into a zone: `1.2.50.0` – `1.2.70.255`. You can either define 21 IP subnets with `/24` mask or you can define six subnets in the following manner: `1.2.50.0/23`, `1.2.52.0/22`, `1.2.56.0/21`, `1.2.64.0/22`, `1.2.68.0/23`, `1.2.70.0/24`. Whether you have a switched/routed network or you actually use `/24` subnets is irrelevant from the zone's (Zorp's) point of view. As long as it encounters an IP address from the range `1.2.50.0` – `1.2.70.255`, it will consider it a member of the given zone. Furthermore, if you define Zone A with the IP network `10.0.0.0/8` and Zone B consisting of the network `10.0.1.0/24` and the machine, Computer C with the IP address of `10.0.1.100/32`, from an IP addressing point of view, Computer C belongs to both subnets, but the Zorp rule applied in this and similar cases is, that the machine is always considered to belong to the more specific network (and thus the zone), as also specified by the CIDR method. In this example it is Zone B.

Suppose you have the following IP address range to put into a zone: 1.2.50.0 – 1.2.70.255. You can either define 21 IP subnets with /24 mask or you can define six subnets in the following manner: 1.2.50.0/23, 1.2.52.0/22, 1.2.56.0/21, 1.2.64.0/22, 1.2.68.0/23, 1.2.70.0/24. Whether you have a switched/routed network or you actually use /24 subnets is irrelevant from the zone's (Zorp's) point of view. As long as it encounters an IP address from the range 1.2.50.0 – 1.2.70.255, it will consider it a member of the given zone.

Furthermore, if you define Zone A with the IP network 10.0.0.0/8 and Zone B consisting of the network 10.0.1.0/24 and the machine, Computer C with the IP address of 10.0.1.100/32, from an IP addressing point of view, Computer C belongs to both subnets, but the Zorp rule applied in this and similar cases is, that the machine is always considered to belong to the more specific network (and thus the zone), as also specified by the CIDR method. In this example it is Zone B.

Previous	Up	Next
	Home

Zorp Professional 7 Administrator Guide

6.2. Zones

6.2.1. Managing zones with ZMC