On 22/02/2019 17:39, Tom Eastep wrote:
Thank you! Though, it creates a little side effect now :
# shorewall ck
Checking using Shorewall 5.2.3...
ERROR: Policy "all all DROP" duplicates earlier policy "all all
REJECT" /etc/shorewall/policy (line 11)
What I want to achieve :
- Every intra-zone non-explicit rules fall into REJECT like z1:host1
trying to reach zX:hostX (including any host in z1) without a specific
rule (ie: SW:z1-z2:REJECT .... in logs)
Rationale : Unwanted intra-zone traffic from known hosts gets
"connection refused" instead of waiting desperately for a (long) timeout.
- Every OTHER non-explicit rules fall into DROP like "net: => anything"
or hosts outside any zone, thus falling into FORWARD or INPUT.
Rationale : Unwanted traffic of any kind, like people from "net:" or
misconfigured hosts within the LAN gets DROPPED without mercy.
That's why I asked for zone exclusions in the first place. I really
thought that :
all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
would be internally translated by the parser/compiler to :
z1,z2,..,zN { dest=z1,z2,..,zN+ policy=REJECT loglevel=info }
See what I mean? :-)
It does that -- but then you have another all->all DROP rule following
it, which duplicates the preceding rule.
That's what I don't understand here. If "all!${FW},net" translates to
"z1,z2,..,zN", then why my current settings work perfectly and produce
no error at compile time...
z1,z2,..,zN { dest=z1,z2,..,zN+ policy=REJECT loglevel=info }
all { dest=all policy=DROP loglevel=info }
While...
all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
all { dest=all policy=DROP loglevel=info }
does not and ends up with an error? As you said, the first line ought to
be an exact equivalent right? I'm missing something here.
When you include '+', the rule
covers both inter-zone AND intra-zone traffic.
So in the current state, I can't mimic my old settings with the
exclusions feature.
I want to REJECT inter/intra-zone traffic because I'm dealing with known
hosts and I don't want them to wait for packet timeouts
I want to DROP everything else, both "expected" traffic from a known
zone like "net->*" and "unexpected" traffic from unknown sources like a
rogue IP not belonging to any zone and thus falling into the default
policy of INPUT/FORWARD.
Yikes! I guess I'll continue to use the old way of listing every single
zone I manage, which gets visually not appealing when there are several
of them :-)
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
