On 21/02/2019 18:29, Tom Eastep wrote:
The relevant part of the policy file :
${FW} { dest=all policy=ACCEPT }
all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
all { dest=all policy=DROP loglevel=info }
Please give the attached patch a try.
Thank you! Though, it creates a little side effect now :
# shorewall ck
Checking using Shorewall 5.2.3...
ERROR: Policy "all all DROP" duplicates earlier policy "all all
REJECT" /etc/shorewall/policy (line 11)
What I want to achieve :
- Every intra-zone non-explicit rules fall into REJECT like z1:host1
trying to reach zX:hostX (including any host in z1) without a specific
rule (ie: SW:z1-z2:REJECT .... in logs)
Rationale : Unwanted intra-zone traffic from known hosts gets
"connection refused" instead of waiting desperately for a (long) timeout.
- Every OTHER non-explicit rules fall into DROP like "net: => anything"
or hosts outside any zone, thus falling into FORWARD or INPUT.
Rationale : Unwanted traffic of any kind, like people from "net:" or
misconfigured hosts within the LAN gets DROPPED without mercy.
That's why I asked for zone exclusions in the first place. I really
thought that :
all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
would be internally translated by the parser/compiler to :
z1,z2,..,zN { dest=z1,z2,..,zN+ policy=REJECT loglevel=info }
See what I mean? :-)
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
