Hi. I''m a happy shorewall user. I found something that looks like a possible bug. I''m using shorewall on a single computer at home. I''m using the privoxy proxy server and dansguardian content filter. I configured shorewall based on the "one interface" example from the shorewall.net website. I set the firewall up so that users cannot directly connect to port 80 or to the proxy server, but the only path to port 80 is through the dansguardian content filter. The relevant section of my "rules" file is: #WWW (Forced Proxy Server) # Dansguardian (content filter) is set up to accept connections # on port 8080, and connect to the proxy server on port 8118 # Privoxy (Advertising blocker) is set up to accept connections # on port 8118, and connect to the internet on port 80. # Both Dansguardian and Privoxy run under the user ''proxy'' # The two "ACCEPT" rules explicitly permit user ''proxy'' to # connect to the Privoxy server and to the internet. # The two "DROP" rules prevent all other connections to # internal port 8118 or to external port 80. # The "ACCEPT fw fw" rule accepts all other internal trafic. # I think this is a bug in SHORWALL--without this line # all other internal traffic is blocked! ACCEPT fw net tcp 80 - - - proxy ACCEPT fw fw tcp 8118 - - - proxy DROP fw fw tcp 8118 DROP fw net tcp 80 ACCEPT fw fw The "bug" is, (as also noted in the comment), once I set up a single firewall to firewall rule, all other firewall to firewall connections (all internal local traffic) is blocked. I need to explicitly tell the firewall that all other internal traffic is ok. I don''t need an answer to this since I''ve got everything working as I want. I''m not a list subscriber, so please copy me if you want me to be involved in any follow up on this. Thanks. Philip DeVries
Hi Phil, On Wednesday 22 September 2004 14:05, Phil DeVries wrote:> > The "bug" is, (as also noted in the comment), once I set up a > single firewall to firewall rule, all other firewall to firewall > connections (all internal local traffic) is blocked. I need to > explicitly tell the firewall that all other internal traffic is > ok. >fw->fw traffic works the same as any other intra-zone traffic. For any zone Z, if you have no Z->Z rules, then Z->Z traffic is ACCEPTed. If there are any rules that specify Z->Z, then the traffic that doesn''t match any of those rules is handled by the applicable entry in /etc/shorewall/policy (which in your case, was probably the all->all policy). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 22 September 2004 14:40, Tom Eastep wrote:> Hi Phil, > > On Wednesday 22 September 2004 14:05, Phil DeVries wrote: > > The "bug" is, (as also noted in the comment), once I set up a > > single firewall to firewall rule, all other firewall to firewall > > connections (all internal local traffic) is blocked. I need to > > explicitly tell the firewall that all other internal traffic is > > ok. > > fw->fw traffic works the same as any other intra-zone traffic. > > For any zone Z, if you have no Z->Z rules, then Z->Z traffic is ACCEPTed. > If there are any rules that specify Z->Z, then the traffic that doesn''t > match any of those rules is handled by the applicable entry > in /etc/shorewall/policy (which in your case, was probably the all->all > policy). >Which is by way of saying that you need the following in your /etc/shorewall/policy file; it is preferable to the last rule that you posted (in fact, "shorewall check" probably rejects that rule as being a policy). fw fw ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you, and understood. Phil On Wed, 22 Sep 2004 14:40:29 -0700 Tom Eastep <teastep@shorewall.net> wrote:> fw->fw traffic works the same as any other intra-zone traffic. > > For any zone Z, if you have no Z->Z rules, then Z->Z traffic is > ACCEPTed. If there are any rules that specify Z->Z, then the > traffic that doesn''t match any of those rules is handled by the > applicable entry in /etc/shorewall/policy (which in your case, > was probably the all->all policy). > > -Tom