--On Friday, November 01, 2002 10:27:51 PM -0400 Jeff Clark <[EMAIL PROTECTED]> wrote:
The grammer and logic in the above paragraph defy words. I have absolutely no idea what you are trying to say.My problems begin with the fact that shorewall does show a REJECT policy for the onl network with the all2all chain even though it appears to establish one - I cannot ftp or ssh from ofl to onl or access the net from ofl.
Pinging and "overall policy" are two different things in Shorewall. Most users (probably irrationally) expect to be able to ping even when they want to prevent establishment of any other type of connection -- they see 'ping' as the magic bullet that proves connectivity.However, I can ping freely between the networks and most disturbing is my ability to ping internal clients on both internal networks from the EXTERNAL network - even masq'd clients. I know the norfc1918 option on zone net will stop this but shouldn't the overall policy of net2all prevent this?
In order to drive down the number of posts that say
<whine>
I can't ping!!!!
</whine>
I implemented a shorewall.conf variable called FORWARDPING. If set to Yes, this variable causes icmp echo requests to be accepted in the FORWARD chain prior to the application of POLICY. FORWARDPING=Yes is the default value -- if you don't like it, you can of course set it to "No".
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
