Le Mon, 9 Oct 2023 18:23:48 +0100, Rodrigo Araujo a écrit : > If an address is in a zone, the rules for other zones aren't applied to > it.
So that’s what I didn’t understand. What I took to be abnormal is indeed the intended behavior. > But since in this case "sshok" is a subzone of the "net" zone, you can > use a CONTINUE in policy to ensure the rule of the parent zone (in this > case "net") are also applied to it. Ok ! > So try adding the following to the policy file (before any DROPs or > REJECTs): > > sshok all CONTINUE > all ssok CONTINUE That's what I need. I never thought of this side all-sshok because I didn't understand that the other rules weren't applied, as said above. > (I know I said earlier it wouldn't be needed, but since you have other > rules like the one you described, then you do need it - sorry for any > confusion) It's not your fault. It's mine, it's me who doesn't understand anything :D > The "all ssh CONTINUE" can help if you have rules from anything to the > "net" zone and also want it to be applied to the "sshok" zone. I understand. > As an alternative, you can explicitly allow in the rules file: > > Web(ACCEPT) net,sshok fw I have way too many rules for this form. I much prefer the first one. > BTW, I would advise to have the following in the policy file as the > first entry, in any case, to ensure the firewall can freely access > anything: > > $FW all ACCEPT Surely not ! :D > Hope this helps. Thanks a lot. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
