I have a zone (lets call it "net"), which has more than one network device attached to it (all interfaces within that zone are optional) and also have a catch-all statement in my "policy" file "all all DROP", which, I assumed, will produce a DROP rule at the end of each zone2zone chain not explicitly defined in that file. That is indeed the case for 99% of the zones, but for the net2net chain I have ACCEPT rule at the end, not DROP. I am certain I do not have any such rule either in my "rules" or "policy" files, so I am wondering what is the cause for this? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:>I have a zone (lets call it "net"), which has more than one network >device attached to it (all interfaces within that zone are optional) and >also have a catch-all statement in my "policy" file "all all DROP", >which, I assumed, will produce a DROP rule at the end of each zone2zone >chain not explicitly defined in that file. > >That is indeed the case for 99% of the zones, but for the net2net chain >I have ACCEPT rule at the end, not DROP. I am certain I do not have any >such rule either in my "rules" or "policy" files, so I am wondering what >is the cause for this?The default intra-zone policy is ACCEPT and that policy is not overridden by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you want a DROP net->net policy then you must specify it explicitly. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > > >> I have a zone (lets call it "net"), which has more than one network >> device attached to it (all interfaces within that zone are optional) and >> also have a catch-all statement in my "policy" file "all all DROP", >> which, I assumed, will produce a DROP rule at the end of each zone2zone >> chain not explicitly defined in that file. >> >> That is indeed the case for 99% of the zones, but for the net2net chain >> I have ACCEPT rule at the end, not DROP. I am certain I do not have any >> such rule either in my "rules" or "policy" files, so I am wondering what >> is the cause for this? >> > > The default intra-zone policy is ACCEPT and that policy is not overridden > by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you > want a DROP net->net policy then you must specify it explicitly. >Is this documented anywhere, because this is quite a hole I was unaware of? It seems inconsistent for ''all'' to apply to everything else, except intra-zone policies (I do have 2 such zones and in both cases I have ACCEPT at the end). ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Dash Four wrote:> Tom Eastep wrote: >> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >> >>> I have a zone (lets call it "net"), which has more than one network >>> device attached to it (all interfaces within that zone are optional) >>> and >>> also have a catch-all statement in my "policy" file "all all DROP", >>> which, I assumed, will produce a DROP rule at the end of each zone2zone >>> chain not explicitly defined in that file. >>> >>> That is indeed the case for 99% of the zones, but for the net2net chain >>> I have ACCEPT rule at the end, not DROP. I am certain I do not have any >>> such rule either in my "rules" or "policy" files, so I am wondering >>> what >>> is the cause for this? >>> >> >> The default intra-zone policy is ACCEPT and that policy is not >> overridden >> by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you >> want a DROP net->net policy then you must specify it explicitly. >> > Is this documented anywhere, because this is quite a hole I was > unaware of? It seems inconsistent for ''all'' to apply to everything > else, except intra-zone policies (I do have 2 such zones and in both > cases I have ACCEPT at the end).Should I assume that this is also the case not only with "policy", but for everything else as well (rules, blrules etc)? Do I have to specify the default rules explicitly for intra-zone traffic in all those files? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/11/13 4:03 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >> >>> I have a zone (lets call it "net"), which has more than one network >>> device attached to it (all interfaces within that zone are optional) >>>and >>> also have a catch-all statement in my "policy" file "all all DROP", >>> which, I assumed, will produce a DROP rule at the end of each zone2zone >>> chain not explicitly defined in that file. >>> >>> That is indeed the case for 99% of the zones, but for the net2net chain >>> I have ACCEPT rule at the end, not DROP. I am certain I do not have any >>> such rule either in my "rules" or "policy" files, so I am wondering >>>what >>> is the cause for this? >>> >> >> The default intra-zone policy is ACCEPT and that policy is not >>overridden >> by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you >> want a DROP net->net policy then you must specify it explicitly. >> >Is this documented anywhere, because this is quite a hole I was unaware >of? It seems inconsistent for ''all'' to apply to everything else, except >intra-zone policies (I do have 2 such zones and in both cases I have >ACCEPT at the end).man shorewall-policy. And look for "Important" -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/11/13 4:10 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Dash Four wrote: >> Tom Eastep wrote: >>> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>> >>> >>>> I have a zone (lets call it "net"), which has more than one network >>>> device attached to it (all interfaces within that zone are optional) >>>> and >>>> also have a catch-all statement in my "policy" file "all all DROP", >>>> which, I assumed, will produce a DROP rule at the end of each >>>>zone2zone >>>> chain not explicitly defined in that file. >>>> >>>> That is indeed the case for 99% of the zones, but for the net2net >>>>chain >>>> I have ACCEPT rule at the end, not DROP. I am certain I do not have >>>>any >>>> such rule either in my "rules" or "policy" files, so I am wondering >>>> what >>>> is the cause for this? >>>> >>> >>> The default intra-zone policy is ACCEPT and that policy is not >>> overridden >>> by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you >>> want a DROP net->net policy then you must specify it explicitly. >>> >> Is this documented anywhere, because this is quite a hole I was >> unaware of? It seems inconsistent for ''all'' to apply to everything >> else, except intra-zone policies (I do have 2 such zones and in both >> cases I have ACCEPT at the end). >Should I assume that this is also the case not only with "policy", but >for everything else as well (rules, blrules etc)? Do I have to specify >the default rules explicitly for intra-zone traffic in all those files?Sort of -- look for ''intra-'' in shorewall-rules(5). -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/11/13 4:10 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > > >> Dash Four wrote: >> >>> Tom Eastep wrote: >>> >>>> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>>> >>>> >>>> >>>>> I have a zone (lets call it "net"), which has more than one network >>>>> device attached to it (all interfaces within that zone are optional) >>>>> and >>>>> also have a catch-all statement in my "policy" file "all all DROP", >>>>> which, I assumed, will produce a DROP rule at the end of each >>>>> zone2zone >>>>> chain not explicitly defined in that file. >>>>> >>>>> That is indeed the case for 99% of the zones, but for the net2net >>>>> chain >>>>> I have ACCEPT rule at the end, not DROP. I am certain I do not have >>>>> any >>>>> such rule either in my "rules" or "policy" files, so I am wondering >>>>> what >>>>> is the cause for this? >>>>> >>>>> >>>> The default intra-zone policy is ACCEPT and that policy is not >>>> overridden >>>> by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you >>>> want a DROP net->net policy then you must specify it explicitly. >>>> >>>> >>> Is this documented anywhere, because this is quite a hole I was >>> unaware of? It seems inconsistent for ''all'' to apply to everything >>> else, except intra-zone policies (I do have 2 such zones and in both >>> cases I have ACCEPT at the end). >>> >> Should I assume that this is also the case not only with "policy", but >> for everything else as well (rules, blrules etc)? Do I have to specify >> the default rules explicitly for intra-zone traffic in all those files? >> > > Sort of -- look for ''intra-'' in shorewall-rules(5). >In other words, if I use all+ that will capture intra-zone traffic, right? If so, it is a pity that all+ cannot be specified in "policy" and I have to revert to this sort of gimmicks. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/11/13 4:03 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > > >> Tom Eastep wrote: >> >>> On 5/11/13 3:08 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>> >>> >>> >>>> I have a zone (lets call it "net"), which has more than one network >>>> device attached to it (all interfaces within that zone are optional) >>>> and >>>> also have a catch-all statement in my "policy" file "all all DROP", >>>> which, I assumed, will produce a DROP rule at the end of each zone2zone >>>> chain not explicitly defined in that file. >>>> >>>> That is indeed the case for 99% of the zones, but for the net2net chain >>>> I have ACCEPT rule at the end, not DROP. I am certain I do not have any >>>> such rule either in my "rules" or "policy" files, so I am wondering >>>> what >>>> is the cause for this? >>>> >>>> >>> The default intra-zone policy is ACCEPT and that policy is not >>> overridden >>> by a wildcard policy (one with ''all'' in the SOURCE and/or DEST). If you >>> want a DROP net->net policy then you must specify it explicitly. >>> >>> >> Is this documented anywhere, because this is quite a hole I was unaware >> of? It seems inconsistent for ''all'' to apply to everything else, except >> intra-zone policies (I do have 2 such zones and in both cases I have >> ACCEPT at the end). >> > > man shorewall-policy. And look for "Important" >Yeah, got it, thanks. It would have been nice if I could use "all+ all+ DROP" in "policy" for example, without reverting to this explicit definition malarkey. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may