Shorewall users - Sep 2008 - problem with rules accept traffic to all zones except firewall (all-)

Hi!
I want use shorewall with vyatta router.
I want forward traffic between 2 wan connections and a few vlans.
Interfaces:
wan  eth1
wan2   eth2
vlan2  eth3.2
vlan3  eth3.3 ...

Default policy drops all possible traffic.

In rules:
                  
ACCEPT wan      all-
ACCEPT wan2    all-
ACCEPT  vlan2:source net    all- 

In doc is written that all- means "All zones except firewall", so why
I
still can connect to firewall from WANs and VLANs.
When I check log "Accept wan      fw" "Accept wan2      fw"
"Accept
vlan2      fw" are created.
How can I in simple way allow all traffic between vlans and wan
excluding firewall, without creating explicit rule for each interface?

Regards,
Hans




 

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hans wrote:
> In doc is written that all- means "All zones except firewall", so
why I
> still can connect to firewall from WANs and VLANs.
> When I check log "Accept wan      fw" "Accept wan2     
fw" "Accept
> vlan2      fw" are created.
Which version of Shorewall are you running? Are you using Shorewall-shell or 
Shorewall-perl?
> How can I in simple way allow all traffic between vlans and wan
> excluding firewall, without creating explicit rule for each interface?
Define two zones:

wan	eth1
wan	eth2
vlan	eth3.+

In Policy:

ACCEPT	wan	vlan
ACCEPT	vlan	wan

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep wrote:
> Hans wrote:
>
>> In doc is written that all- means "All zones except
firewall", so why I
>> still can connect to firewall from WANs and VLANs.
>> When I check log "Accept wan      fw" "Accept wan2     
fw" "Accept
>> vlan2      fw" are created.
>
> Which version of Shorewall are you running? Are you using
> Shorewall-shell or Shorewall-perl?
>
>> How can I in simple way allow all traffic between vlans and wan
>> excluding firewall, without creating explicit rule for each interface?
>
> Define two zones:
>
> wan    eth1
> wan    eth2
> vlan    eth3.+
>
> In Policy:
>
> ACCEPT    wan    vlan
> ACCEPT    vlan    wan
>
> -Tom
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
Hi!
Version is 4.0.13 Shell.

I cannot do:
ACCEPT    wan    vlan
ACCEPT    vlan    wan

Because I want filter VLAN source ip. EG. ACCEPT
vlan:xxx.xxx.xxx.xxx/24   all , so only ip from that range can connect
from vlan.

I managed make it work. In compiler file on line 2675 I removed line:
xservers="$ZONES $FW"
and now is:
if [ "x$servers" = xall ];then
    xservers="$ZONES $FW"
elif [ "x$servers" = xall- ];then
    xservers="$ZONES"
fi

Regards,
Hans



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hans wrote:
> I managed make it work. In compiler file on line 2675 I removed line: 
> xservers="$ZONES $FW"
> and now is:
> if [ "x$servers" = xall ];then
>     xservers="$ZONES $FW"
> elif [ "x$servers" = xall- ];then
>     xservers="$ZONES"
> fi
Thanks -- I''ll create a patch release when time permits.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/