Now that I have finally managed to activate the dynamic zones, I would
like to be able to use them to allow ssh access to my FW on the fly.
I only have one interface: eth0
zones:
fw firewall
net ipv4
sshok:net ipv4dynamic_shared
hosts:
sshok et
Seems I just needed a line added in policy
sshok all CONTINUE
Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit :
> Now that I have finally managed to activate the dynamic zones, I
> would
> like to be able to use them to allow ssh access to my FW on the fly.
Or better yet, just replace the ssh accept rule with:
SSH(ACCEPT) sshok fw
Like this you won't need that like in the policy file.
On Sun, 8 Oct 2023, 04:23 Christophe PEREZ, wrote:
> Seems I just needed a line added in policy
> sshok all CONTINUE
>
> Le samedi 07 octobre
Ok nice !
But then why isn't this what we find in the docs?
They often speeks about net:+sshok.
Here for example https://shorewall.org/ipsets.html
Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit :
> Or better yet, just replace the ssh accept rule with:
>
> SSH(ACCEPT) sshok
That part of the docs is specific to ipsets, and the way you did ends up
working because a dynamic zone is implemented using a ipset. But that was
sort of hackish (in my personal opinion, others can disagree). Your rule
says "allow ssh from the net zone, but only if from addresses contained in
that
Thank you very much for the explanations.
I too find it more elegant and simpler, but I wanted to understand the
nuance.
I can assure you that I have read and reread the docs many times, but I
admit that everything is not clear to me, I am neither a specialist nor
an English speaker, and that doesn
Hi all,
I always have problems with this and I really need your help.
I don't understand the use of dynamic zones, and I ultimately wonder if it
meets my needs or not.
It seems like the operation is exclusive and that's not what I want.
I would just like the dynamic zone to grant me additional a
If an address is in a zone, the rules for other zones aren't applied to it.
But since in this case "sshok" is a subzone of the "net" zone, you can
use a CONTINUE in policy to ensure the rule of the parent zone (in this
case "net") are also applied to it.
So try adding the following to the pol
Le Mon, 9 Oct 2023 18:23:48 +0100, Rodrigo Araujo a écrit :
> If an address is in a zone, the rules for other zones aren't applied to
> it.
So that’s what I didn’t understand. What I took to be abnormal is indeed
the intended behavior.
> But since in this case "sshok" is a subzone of the "net"
