PETER EASTHOPE wrote:> Folk,
>
> Is there ever a case for the same zone being
> specified for SOURCE and DEST in a policy or rule?
>
> Example
> A LAN has a router/firewall machine, FTP server
> and some other machines which need access to the
> FTP server through the router/firewall.
> Is this rule needed?
> FTP/ACCEPT loc loc
>
> I''ve made a small effort to find the answer in the documentation
> and failed of course.
From ''man shorewall-policy'' output:
Intra-zone policies are pre-defined
For $FW and for all of the zones defined in /etc/shorewall/zones,
the POLICY for connections from the zone to itself is ACCEPT
(with no logging or TCP connection rate limiting but may be
overridden by an entry in this file. The overriding entry must be
explicit (cannot use "all" in the SOURCE or DEST).
So intra-zone ACCEPT rules are not required. Note though, that if intra-zone
traffic requires routing traffic out of the same traffic that it arrived on,
then the ''routeback'' option must be specified on that
interface in
/etc/shorewall/interfaces.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08