shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] child and parent zones (o

Re: [Shorewall-users] child and parent zones (or dynamic zones as well?)

From: Christ Schlacta <lists_at_nospam>
Date: Sun Jan 15 2012 - 22:26:18 GMT
To: shorewall-users@lists.sourceforge.net

it does quite a bit. it would help a little more if there were a
clearer sample setup with explicit examples, but I think I know now that
for the most part I'll get the desired setup using
IMPLICIT_CONTINUE=Yes, or policy CONTINUE.

On 1/15/2012 07:33, Tom Eastep wrote:
> On Sat, 2012-01-14 at 23:08 -0800, Christ Schlacta wrote:
>
>> my major question is.. I want to be able to set up a policy or a rule
>> similar to:
>> ACCEPT lan(+all child zones) wan tcp port.
>>
>> and I also want to know, what happens when a packet is allowed by one
>> rule, but disallowed by another rule? for example, if I add another
>> Dynamic zone "Special users" (spu:lan), and add someone in the usr zone
>> to the spu zone. do they match the usr or the spu, or the lan zone
>> policy and rule, if the rules are in conflict?
>> Example rule conflict:
>> SSH(REJECT) lan $FW
>> SSH(DROP) usr $FW
>> SSH(ACCEPT) spu $FW
> There are several considerations here:
>
> 1. If you set IMPLICIT_CONTINUE=Yes in shorewall.conf, then any
> connection that doesn't match any subzone rule is automatically
> passed on to the parent zone's rules.
> 2. Child zones will always be checked before the parent zone.
> 3. If a host is in more than one child zone, then connections
> to/from that host will be passed to the child zones rules in the
> order in which the child zones appear in /etc/shorewall/zones.
>
> Hope that helps,
> -Tom
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Mar 27 - Feb 2
> Save $400 by Jan. 27
> Register now!
> http://p.sf.net/sfu/rsa-sfdev2dev2
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users