Galia Lisovskaya wrote: > ============Configuration files==================== > > [EMAIL PROTECTED] two_work_config_]# cat zones > ########################zones####################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > > ############ Hardware Local Network ############## > #local Network interface > loci ipv4 > #local network > loc:loci > > desk1:loc > ################################################ > > ############# Venet Local Network ############## > #Virtual Interface > venet ipv4 > > #Virtual network (see hosts file) > ven1:venet > > #VPS servers > web1:ven1 > serv2:ven1 > dmz:ven1 > > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > [EMAIL PROTECTED] two_work_config_]# cat hosts > ################### hosts################### > #ZONE HOST(S) OPTIONS > web1 venet0:10.0.2.1 > serv2 venet0:10.0.2.2 > > dmz venet0:10.0.2.3 > > ven1 venet0:10.0.2.1-10.0.2.255 > > loc eth0:10.0.5.0/24 > desk1 eth0:10.0.5.2 > > #inet 0.0.0.0/24 > > [EMAIL PROTECTED] two_work_config_]# cat interfaces > #ZONE INTERFACE BROADCAST OPTIONSnet eth0 > loci eth0 detect > venet venet0 - routeback > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > [EMAIL PROTECTED] two_work_config_]# cat policy > ################## policy > ############################################################# > #SOURCE DEST POLICY LOG LIMIT:BURST > # > $FW all ACCEPT > > #Remove this string! > all $FW ACCEPT > > #May be, it's not need > #loci venet ACCEPT > #venet loci ACCEPT > > #loc ven1 ACCEPT > #ven1 loc ACCEPT > > > #Test DMZ > ven1 dmz ACCEPT > desk1 dmz ACCEPT > dmz all DROP > > > #Teporary acl for one vps > web1 venet ACCEPT > venet web1 ACCEPT > loc web1 ACCEPT > web1 loc ACCEPT > > #ACL for venet network > ven1 venet ACCEPT > venet ven1 ACCEPT > loc ven1 ACCEPT > ven1 loc ACCEPT > > #ven1 ven1 ACCEPT > #ven1 loc ACCEPT > #loc ven1 ACCEPT > > > #temporary for desktop > #desk1 ven1 ACCEPT > #ven1 desk1 ACCEPT > > desk1 web1 ACCEPT > web1 desk1 ACCEPT > > > > #loc web1 ACCEPT > #loc serv2 ACCEPT > #serv2 loc ACCEPT > #web1 loc ACCEPT > > all all REJECT > #LAST LINE -- DO NOT REMOVE > [EMAIL PROTECTED] two_work_config_]# > > ============end of Configuration files==================== > > For one test VPS server connection accept: > > [EMAIL PROTECTED] ~]$ ping -c 1 10.0.2.1 > PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. > 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.44 ms > > --- 10.0.2.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 1.440/1.440/1.440/0.000 ms > > But for over test VPS connection drop: > > [EMAIL PROTECTED] ~]$ ping -c 1 10.0.2.2 > PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data. >>From 10.0.5.4 icmp_seq=1 Destination Host Unreachable > > --- 10.0.2.2 ping statistics --- > 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms > > > acl ven1 does'nt work.
The reason that it doesn't work is that 10.0.2.2 is in the serv2 zone. And serv2 is a sub-zone of ven1. The policy for desk->serv2 is REJECT. To make these zone definitions work the way you want them to, you need to set IMPLICIT_CONTINUE=Yes in shorewall.conf. That way, if a connection doesn't match for one zone that a host is in, it will be compared against the rules/policies of the next zone that the host is in. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
