-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pierre Ossman wrote:
> I recently noticed that the compiler sets up ACCEPT as the policy for
> all {zone}2{zone} chains. This is a bit counter-intuitive as I'd except
> my policy file to be valid even for stuff that moves inside a zone.
This has been discussed a lot time to time. Most people assume that
hosts in same zone can communicate with each other without restrictions.
This is documented feature. With defaulting to all2all policy there was
much support traffic about this issue.
> Is this a bug or is there some specific idea to having this hard coded
> policy? Right now I've had to add "dmz dmz REJECT" to my file in order
> to get the behaviour I want.
Try "dmz dmz REJECT info" instead. If you want to prevent that traffic,
you propably want to log it too.
You have special setup if you want to protect against zone2zone traffic.
- --
Tuomo Soini <[EMAIL PROTECTED]>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFIMVMTTlrZKzwul1ERAnReAJwM/xfEkL4ZHZ//3LkBCfttGr+V3ACfVAd7
noM3QftaxVYWpoq4tIVBQ+c=
=xCx3
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
