Re: [Shorewall-users] child and parent zones (or dynamic zones as well?)

Sun, 15 Jan 2012 14:30:55 -0800

it does quite a bit. it would help a little more if there were a clearer sample setup with explicit examples, but I think I know now that for the most part I'll get the desired setup using IMPLICIT_CONTINUE=Yes, or policy CONTINUE. 

On 1/15/2012 07:33, Tom Eastep wrote:

On Sat, 2012-01-14 at 23:08 -0800, Christ Schlacta wrote:


my major question is..  I want to be able to set up a policy or a rule
similar to:
ACCEPT    lan(+all child zones)    wan    tcp    port.

and I also want to know, what happens when a packet is allowed by one
rule, but disallowed by another rule?  for example, if I add another
Dynamic zone "Special users" (spu:lan), and add someone in the usr zone
to the spu zone.  do they match the usr or the spu, or the lan zone
policy and rule, if the rules are in conflict?
Example rule conflict:
SSH(REJECT)    lan    $FW
SSH(DROP)    usr    $FW
SSH(ACCEPT)    spu    $FW

There are several considerations here:

      1. If you set IMPLICIT_CONTINUE=Yes in shorewall.conf, then any
         connection that doesn't match any subzone rule is automatically
         passed on to the parent zone's rules.
      2. Child zones will always be checked before the parent zone.
      3. If a host is in more than one child zone, then connections
         to/from that host will be passed to the child zones rules in the
         order in which the child zones appear in /etc/shorewall/zones.

Hope that helps,
-Tom


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to