On Fri, 31 May 2002, Tom Eastep wrote:
> I''ve updated http://www.shorewall.net/myfiles.htm to include a
whitelist.
> This working example shows that it may be necessary to add additional
> policies to make the whitelist work the way that you expect it to - it is
> not sufficient to simply add a "whitelist->all ACCEPT" policy.
>
> The Policy file at the above URL includes comments to explain why each of
> the additional policies are needed.
>
> Alain: I suspect that this is what you are seeing with your
customer''s
> nested zone setup. I found that I initially had jumps to the
"all2all"
> chain that I was able to eliminate by adding these additional policies.
>
In 1.3.1 (which I will try to release over the weekend), this will become
a lot easier. If you have a whitelist zone "wl", you can just put the
following in /etc/shorewall/policy:
wl all ACCEPT
all wl CONTINUE
These rules are accepted by earlier versions of Shorewall but don''t do
the
correct thing; the ''all2wl'' chain is optimized away and
replaced with the
''all2all'' chain (which of course doesn''t do what you
want).
For those of you who would like to give this a spin now, you need two
files:
ftp://ftp.shorewall.net/pub/shorewall/testing/firewall
ftp://ftp.shorewall.net/pub/shorewall/testing/rfc1918
The ''rfc1918'' file must be placed in /etc/shorewall. Follow
the
instructions at http://www.shorewall.net/errata.htm for installing the
''firewall'' file.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net