On 16/02/2019 00:22, Tom Eastep wrote:
Shorewall 5.2.3 is now available for download.
New Features:
1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
policy file.
2) With the availability of zone exclusion in the rules file, 'all[+]-'
and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
respectively. Beginning with this release, the former are
deprecated in favor of the latter and will result in a warning
message, if used.
Unfortunately, I wasn't able to test Shorewall during the beta phase, so
I discover this with the release version :
I modified my "policy" file to reflect the changes above but I faced an
issue :
# shorewall ck
Checking using Shorewall 5.2.3...
ERROR: 'all' is not allowed in a source zone list
/etc/shorewall/policy (line 8)
The relevant part of the policy file :
${FW} { dest=all policy=ACCEPT }
all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
all { dest=all policy=DROP loglevel=info }
And according to the docs -
http://shorewall.net/manpages/shorewall-policy.html - there's nothing
preventing that syntax.
The second line exactly reflects exactly what I want : all zones except
"$FW" and "net" should REJECT packets from other zones, even between
themselves.
What's wrong with that then?
Thanks for any advice.
PS: Previously, SOURCE and DEST were "zone1,zone2,zone3" and
"zone1,zone2,zone3+" respectively.
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
