Hi,
I recently noticed that the compiler sets up ACCEPT as the policy for
all {zone}2{zone} chains. This is a bit counter-intuitive as I''d except
my policy file to be valid even for stuff that moves inside a zone.
Is this a bug or is there some specific idea to having this hard coded
policy? Right now I''ve had to add "dmz dmz REJECT" to my file
in order
to get the behaviour I want.
Rgds
--
-- Pierre Ossman
Linux kernel, MMC maintainer http://www.kernel.org
rdesktop, core developer http://www.rdesktop.org
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pierre Ossman wrote:> I recently noticed that the compiler sets up ACCEPT as the policy for > all {zone}2{zone} chains. This is a bit counter-intuitive as I''d except > my policy file to be valid even for stuff that moves inside a zone.This has been discussed a lot time to time. Most people assume that hosts in same zone can communicate with each other without restrictions. This is documented feature. With defaulting to all2all policy there was much support traffic about this issue.> Is this a bug or is there some specific idea to having this hard coded > policy? Right now I''ve had to add "dmz dmz REJECT" to my file in order > to get the behaviour I want.Try "dmz dmz REJECT info" instead. If you want to prevent that traffic, you propably want to log it too. You have special setup if you want to protect against zone2zone traffic. - -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIMVMTTlrZKzwul1ERAnReAJwM/xfEkL4ZHZ//3LkBCfttGr+V3ACfVAd7 noM3QftaxVYWpoq4tIVBQ+c=xCx3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/