That part of the docs is specific to ipsets, and the way you did ends up working because a dynamic zone is implemented using a ipset. But that was sort of hackish (in my personal opinion, others can disagree). Your rule says "allow ssh from the net zone, but only if from addresses contained in that ipset, to the firewall".
The way I suggested is more general, since a dynamic zone is just a zone. So what I suggested just says "allow ssh from the sshok zone to the firewall". I think it's more elegant this way too. If you intend to work with more zones and a more complex setup in the future, I would suggest reading the part of the docs that talks about the concept of zones. Once one understands that, it makes sense. On Sun, 8 Oct 2023, 15:32 Christophe PEREZ, <ch...@novazur.fr> wrote: > Ok nice ! > But then why isn't this what we find in the docs? > > They often speeks about net:+sshok. > > Here for example https://shorewall.org/ipsets.html > > Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit : > > Or better yet, just replace the ssh accept rule with: > > > > SSH(ACCEPT) sshok fw > > > > Like this you won't need that like in the policy file. > > > > On Sun, 8 Oct 2023, 04:23 Christophe PEREZ, <ch...@novazur.fr> wrote: > > > Seems I just needed a line added in policy > > > sshok all CONTINUE > > > > > > Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit : > > > > Now that I have finally managed to activate the dynamic zones, I > > > > would > > > > like to be able to use them to allow ssh access to my FW on the > > > > fly. > > > > I only have one interface: eth0 > > > > > > > > zones: > > > > fw firewall > > > > net ipv4 > > > > sshok:net ipv4 dynamic_shared > > > > > > > > hosts: > > > > sshok eth0:dynamic > > > > > > > > policy: > > > > net all DROP info > > > > all all REJECT info > > > > > > > > rules: > > > > SSH(ACCEPT) net:+sshok fw > > > > > > > > > > > > But my access is REJECTed: > > > > Oct 8 01:17:20 myfw kernel: [2589.152380] sshok-fw REJECT IN=eth0 > > > > OUT= > > > > MAC=fa:16:3e:77:ac:2a:2a:9c:dc:33:c6:4b:08: 00 SRC=ssh_client_IP > > > > DST=fw_ip LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5951 DF PROTO=TCP > > > > SPT=29346 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > > > > > What is my mistake please? > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > -- > Christophe > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users