Shorewall users - Mar 2013 - Order of precedence in /etc/shorewall/policy

I understand the order is important on file /etc/shorewall/policy.
But,if I create all possible combinations for the defined zones:
# for a in fw loc dmz net; do for b in fw loc dmz net; do echo $a $b REJECT
info; done; done
and ending the above list with "all all DROP info"
is the order still important ?

Thanks


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 3/4/13 7:21 PM, "Guilsson Guilsson" <guilsson@gmail.com>
wrote:
> I understand the order is important on file /etc/shorewall/policy.
> But,if I create all possible combinations for the defined zones:
> # for a in fw loc dmz net; do for b in fw loc dmz net; do echo $a $b REJECT
> info; done; done
> and ending the above list with "all all DROP info"
> is the order still important ?
No. But in general you don''t want REJECT for the policy from a zone to
itself. And if you do not, then you can accomplish the same thing with:

/etc/shorewall/shorewall.conf

EXPAND_POLICIES=Yes

/etc/shorewall/policy

all all REJECT info

-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Yeah. I got it.

Interesting the option EXPAND_POLICIES. I always generate the zone
combination to have in the syslog the a2b mark to easily identify the block.

Thanks Tom.

On Tue, Mar 5, 2013 at 12:37 AM, Tom Eastep <teastep@shorewall.net> wrote:
> On 3/4/13 7:21 PM, "Guilsson Guilsson" <guilsson@gmail.com>
wrote:
>
> I understand the order is important on file /etc/shorewall/policy.
> But,if I create all possible combinations for the defined zones:
> # for a in fw loc dmz net; do for b in fw loc dmz net; do echo $a $b
> REJECT info; done; done
> and ending the above list with "all all DROP info"
> is the order still important ?
>
>
> No. But in general you don''t want REJECT for the policy from a
zone to
> itself. And if you do not, then you can accomplish the same thing with:
>
> /etc/shorewall/shorewall.conf
>
> EXPAND_POLICIES=Yes
>
> /etc/shorewall/policy
>
> all all REJECT info
>
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
>
>
>
>
------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb