That part of the docs is specific to ipsets, and the way you did ends up
working because a dynamic zone is implemented using a ipset. But that was
sort of hackish (in my personal opinion, others can disagree). Your rule
says "allow ssh from the net zone, but only if from addresses contained in
that ipset, to the firewall".

The way I suggested is more general, since a dynamic zone is just a zone.
So what I suggested just says "allow ssh from the sshok zone to the
firewall". I think it's more elegant this way too.

If you intend to work with more zones and a more complex setup in the
future, I would suggest reading the part of the docs that talks about the
concept of zones. Once one understands that, it makes sense.



On Sun, 8 Oct 2023, 15:32 Christophe PEREZ, <ch...@novazur.fr> wrote:

> Ok nice !
> But then why isn't this what we find in the docs?
>
> They often speeks about net:+sshok.
>
> Here for example https://shorewall.org/ipsets.html
>
> Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit :
> > Or better yet, just replace the ssh accept rule with:
> >
> > SSH(ACCEPT) sshok              fw
> >
> > Like this you won't need that like in the policy file.
> >
> > On Sun, 8 Oct 2023, 04:23 Christophe PEREZ, <ch...@novazur.fr> wrote:
> > > Seems I just needed a line added in policy
> > > sshok           all             CONTINUE
> > >
> > > Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit :
> > > > Now that I have finally managed to activate the dynamic zones, I
> > > > would
> > > > like to be able to use them to allow ssh access to my FW on the
> > > > fly.
> > > > I only have one interface: eth0
> > > >
> > > > zones:
> > > > fw              firewall
> > > > net             ipv4
> > > > sshok:net       ipv4            dynamic_shared
> > > >
> > > > hosts:
> > > > sshok           eth0:dynamic
> > > >
> > > > policy:
> > > > net             all             DROP    info
> > > > all             all             REJECT  info
> > > >
> > > > rules:
> > > > SSH(ACCEPT)     net:+sshok              fw
> > > >
> > > >
> > > > But my access is REJECTed:
> > > > Oct 8 01:17:20 myfw kernel: [2589.152380] sshok-fw REJECT IN=eth0
> > > > OUT=
> > > > MAC=fa:16:3e:77:ac:2a:2a:9c:dc:33:c6:4b:08: 00 SRC=ssh_client_IP
> > > > DST=fw_ip LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5951 DF PROTO=TCP
> > > > SPT=29346 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> > > >
> > > > What is my mistake please?
> > >
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> --
> Christophe
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to