Hello Tom and Shorewall Users, =09One thing that has tripped me up in the past several times, is setting up=20 zones that are not attached to an interface, but rather to hosts. It has to=20 do with the default policies. The case where a zone is connected to a=20 interface is processed different then a zone that just contain hosts and is=20 not attached to a interface. Here is what I see going on, correct me if I am=20 wrong!: Lets use zone lan: =09It is connected to a nic, and the policy file is as follows: wan=09=09all=09=09drop=09=09info all=09=09all=09=09reject=09=09- traffic from lan to fw is sent to the lan2fw chain with a default policy of=20 reject from the all to all policy. This is OK! But lets add a zone called=20 host. If we leave that policy file unchanged, we get a result that I=20 question. If we have traffic from host to fw, it is sent to the all2all=20 chain. So all my host to fw rules in the host2fw chain are never used. =20 Would it be better if the default behavior was to send the host to fw traffic=20 to the host2fw chain, and that chain have a default policy of reject from the=20 all to all policy? =20 Is there otheir reasons that I have missed, that requires the current=20 behavior, or would this be a improvement that would make using shorewall just=20 a little easyer? At present, if you just add a new zone, add a host to that zone, and add a=20 rule from the new zone to a existing zone, your rules have no effect untill=20 you add default policies between the zones that your rules span. What do you all think? --=20 Regards Joseph Watson
--On Sunday, November 17, 2002 06:44:59 PM -0500 Joseph Watson <jtwatson@datakota.com> wrote:> Hello Tom and Shorewall Users, > > One thing that has tripped me up in the past several times, is setting > up zones that are not attached to an interface, but rather to hosts. It > has to do with the default policies. The case where a zone is connected > to a interface is processed different then a zone that just contain > hosts and is not attached to a interface. Here is what I see going on, > correct me if I am wrong!: > > Lets use zone lan: > It is connected to a nic, and the policy file is as follows: > > wan all drop info > all all reject - > > traffic from lan to fw is sent to the lan2fw chain with a default policy > of reject from the all to all policy. This is OK! But lets add a zone > called host. If we leave that policy file unchanged, we get a result > that I question. If we have traffic from host to fw, it is sent to the > all2all chain. So all my host to fw rules in the host2fw chain are > never used. Would it be better if the default behavior was to send the > host to fw traffic to the host2fw chain, and that chain have a default > policy of reject from the all to all policy? > > Is there otheir reasons that I have missed, that requires the current > behavior, or would this be a improvement that would make using shorewall > just a little easyer?What you describe is largely nonsense since Shorewall treats the two types of zones exacly the same. If one of the zones is a subzone of the other though, it makes a LOT of difference which one appears first in the /etc/shorewall/zones file. For example, if the super-zone comes first then the rules for the sub-zone will never be used. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net