Re: [Shorewall-users] Shorewall 5.2.3

Fri, 22 Feb 2019 08:41:57 -0800 

On 2/21/19 5:15 PM, ObNox wrote:
> On 21/02/2019 18:29, Tom Eastep wrote:
> 
>>> The relevant part of the policy file :
>>>
>>> ${FW}          {  dest=all             policy=ACCEPT  }
>>>
>>> all!${FW},net  {  dest=all+!${FW},net  policy=REJECT  loglevel=info  }
>>>
>>> all            {  dest=all             policy=DROP    loglevel=info  }
>>
>> Please give the attached patch a try.
> 
> Thank you! Though, it creates a little side effect now :
> 
> # shorewall ck
> Checking using Shorewall 5.2.3...
>    ERROR: Policy "all all DROP" duplicates earlier policy "all all
> REJECT" /etc/shorewall/policy (line 11)
> 
> What I want to achieve :
> 
> - Every intra-zone non-explicit rules fall into REJECT like z1:host1
> trying to reach zX:hostX (including any host in z1) without a specific
> rule (ie: SW:z1-z2:REJECT .... in logs)
> 
> Rationale : Unwanted intra-zone traffic from known hosts gets
> "connection refused" instead of waiting desperately for a (long) timeout.
> 
> - Every OTHER non-explicit rules fall into DROP like "net: => anything"
> or hosts outside any zone, thus falling into FORWARD or INPUT.
> 
> Rationale : Unwanted traffic of any kind, like people from "net:" or
> misconfigured hosts within the LAN gets DROPPED without mercy.
> 
> That's why I asked for zone exclusions in the first place. I really
> thought that :
> 
> all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
> 
> would be internally translated by the parser/compiler to :
> 
> z1,z2,..,zN { dest=z1,z2,..,zN+ policy=REJECT loglevel=info }
> 
> See what I mean? :-)
> 

It does that -- but then you have another all->all DROP rule following
it, which duplicates the preceding rule. When you include '+', the rule
covers both inter-zone AND intra-zone traffic.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to