Zones describe and map the networking environment on IP level. IP addresses are grouped into zones; the access policies of Zorp operate on these zones. Zones specify segments of the network from which traffic can be received (source), or sent to (destination), through the firewall. Zones in Zorp can contain:
IP networks,
subnets,
individual IP addresses, and
hostnames.
Zone management is handled by kzorp daemon (kzorpd). kzorpd is responsible for maintaining zone address information in kzorp kernel modules and also for updating dynamic address information in hostname-based zones.
The actual implementation of a zone hierarchy depends on the network environment, the placement and the role of Zorp firewalls, the security policy, and so on.
The Internet zone which covers all possible IP addresses is defined on every site by default. If an IP address is not included in any user-defined zones, it belongs to the Internet zone. Zorp policies permit traffic between two or more zones, so at least another zone — the intranet — must be created. Usually a special zone called demilitarized zone (DMZ) is defined for servers available from the Internet.
Zones in Zorp can have a hierarchy, with a zone containing many subzones that may have their own subzones, and so on. From these zones, a tree hierarchy can be constructed. This hierarchy is purely administrative and independent from the IP addresses defined in the zones themselves: for example, a zone that contains the 192.168.7.0/24
subnet can have a subzone with IP addresses from the 10.0.0.0/8
range.
A network can belong only to a single zone, because otherwise the position of IP addresses in the network would be ambiguous.
The zone hierarchy is independent from the subnetting practices of the company or the physical layout of the network, and can follow arbitrary logic. The zone hierarchy applies to every host of a site.
Note |
---|
Subnets can be used directly in Zorp configurations, it is not necessary to include them in a zone. |
Note |
---|
It is recommended to follow the logic of the network implementation when defining zones, because this approach leads to the most flexible firewall administration. Plan and document the zone hierarchy thoroughly and keep it up-to-date. An effective and usable zone topology is essential for successful Zorp administration. |
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu