I came across a problem today with an ACCEPT+ rule using shorewall-perl
4.2.7.
The rule is:
ACCEPT+ loc:192.168.1.102 wifi tcp http,https
This resulted in a rule in the loc_dnat chain with the destination set
to 0.0.0.0/0, which seems to ignore the "wifi" zone in the destination
of the rule.
My "wifi" zone is defined as such in zones:
wifi ipv4
and my interfaces file has:
wifi eth3 detect dhcp,maclist
eth3 is up when shorewall is started. It has address
192.168.3.101/255.255.255.0.
Is this expected behavior? I didn''t see anything in the shorewall-rules
man page about restrictions on the destination for an ACCEPT+ rule.
--
David Rothenberger ---- daveroth@acm.org
inoculatte:
To take coffee intravenously when you are running late.
------------------------------------------------------------------------------
David Rothenberger wrote:> I came across a problem today with an ACCEPT+ rule using shorewall-perl > 4.2.7. > > The rule is: > > ACCEPT+ loc:192.168.1.102 wifi tcp http,https > > This resulted in a rule in the loc_dnat chain with the destination set > to 0.0.0.0/0, which seems to ignore the "wifi" zone in the destination > of the rule. > > My "wifi" zone is defined as such in zones: > > wifi ipv4 > > and my interfaces file has: > > wifi eth3 detect dhcp,maclist > > eth3 is up when shorewall is started. It has address > 192.168.3.101/255.255.255.0. > > Is this expected behavior?Yes. The NAT part of the rule generated by ACCEPT+ does not consider the destination zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Tom Eastep wrote:> David Rothenberger wrote: >> I came across a problem today with an ACCEPT+ rule using shorewall-perl >> 4.2.7. >> >> The rule is: >> >> ACCEPT+ loc:192.168.1.102 wifi tcp http,https >> >> This resulted in a rule in the loc_dnat chain with the destination set >> to 0.0.0.0/0, which seems to ignore the "wifi" zone in the destination >> of the rule. >> >> My "wifi" zone is defined as such in zones: >> >> wifi ipv4 >> >> and my interfaces file has: >> >> wifi eth3 detect dhcp,maclist >> >> eth3 is up when shorewall is started. It has address >> 192.168.3.101/255.255.255.0. >> >> Is this expected behavior? > > Yes. > > The NAT part of the rule generated by ACCEPT+ does not consider the > destination zone.Note that if you want to restrict the DNAT rule to packets addressed to 192.168.3.0/24, you can code the rule as: ACCEPT+ loc:192.168.1.102 wifi:192.168.3.0/24 tcp http,https -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------