Hi,
I noticed today that a hosts zone defined as follows wasn''t being
matched.
I investigated the output of iptables -L -v, and found this:
Chain tun4_out (1 references)
pkts bytes target prot opt in out source
destination
85 13584 fw2san all -- any any anywhere anywhere
0 0 fw2bloc all -- any any anywhere
192.168.3.0/24
/etc/shorewall/zones
san ipv4
bloc ipv4
/etc/shorewall/hosts
bloc tun4:192.168.3.0/24
/etc/shorewall/interfaces
san tun4 detect
routefilter,logmartians,tcpflags,nosmurfs
/etc/shorewall/rules sample
# dns
ACCEPT $FW bloc udp 53
Either switching the order of those zones entries or using "bloc:san
ipv4",
the following iptables output and the correct behavior are achieved:
Chain tun4_out (1 references)
pkts bytes target prot opt in out source
destination
130 21543 fw2bloc all -- any any anywhere
192.168.3.0/24
0 0 fw2san all -- any any anywhere anywhere
I couldn''t find anything in the hosts or zones man pages about this.
Am I
doing something wrong, or should this be spelled out in the docs for other
idiots like me?
Thanks-
John
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
John Morris wrote:> Hi, > > I noticed today that a hosts zone defined as follows wasn''t being > matched. I investigated the output of iptables -L -v, and found this: > ... > I couldn''t find anything in the hosts or zones man pages about this. Am > I doing something wrong, or should this be spelled out in the docs for > other idiots like me?In http://www.shorewall.net/manpages/shorewall-hosts.html it says: "The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order in which the records in this file are interpreted." In http://www.shorewall.net/Multiple_Zones.html it says: "Shorewall generates rules for zones in the order that the zone declarations appear in /etc/shorewall/zones unless you modify the processing order using the explicit child-zone:parent-zone syntax, in which case the child zone rules are generated first." That should be sufficient to say it is documented, but there probably should be something more explicit about ordering (probably a reference to Multiple_Zones.html) in http://www.shorewall.net/manpages/shorewall-zones.html. Any comments, Tom? Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Paul Gear wrote:> John Morris wrote: >> Hi, >> >> I noticed today that a hosts zone defined as follows wasn''t being >> matched. I investigated the output of iptables -L -v, and found this: >> ... >> I couldn''t find anything in the hosts or zones man pages about this. Am >> I doing something wrong, or should this be spelled out in the docs for >> other idiots like me? > > In http://www.shorewall.net/manpages/shorewall-hosts.html it says: "The > order of entries in this file is not significant in determining zone > composition. Rather, the order that the zones are declared in > shorewall-zones(5) determines the order in which the records in this > file are interpreted." > > In http://www.shorewall.net/Multiple_Zones.html it says: "Shorewall > generates rules for zones in the order that the zone declarations appear > in /etc/shorewall/zones unless you modify the processing order using the > explicit child-zone:parent-zone syntax, in which case the child zone > rules are generated first." > > That should be sufficient to say it is documented, but there probably > should be something more explicit about ordering (probably a reference > to Multiple_Zones.html) in > http://www.shorewall.net/manpages/shorewall-zones.html. Any comments, Tom? >and to http://www.shorewall.net/manpages/shorewall-nesting.html Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks, guys. I think those particular pixels must''ve been burned out
in my
retinas.
John
On Sun, Jun 1, 2008 at 7:34 PM, Jerry Vonau <jvonau@shaw.ca> wrote:
> Paul Gear wrote:
> > John Morris wrote:
> >> Hi,
> >>
> >> I noticed today that a hosts zone defined as follows
wasn''t being
> >> matched. I investigated the output of iptables -L -v, and found
this:
> >> ...
> >> I couldn''t find anything in the hosts or zones man pages
about this. Am
> >> I doing something wrong, or should this be spelled out in the docs
for
> >> other idiots like me?
> >
> > In http://www.shorewall.net/manpages/shorewall-hosts.html it says:
"The
> > order of entries in this file is not significant in determining zone
> > composition. Rather, the order that the zones are declared in
> > shorewall-zones(5) determines the order in which the records in this
> > file are interpreted."
> >
> > In http://www.shorewall.net/Multiple_Zones.html it says:
"Shorewall
> > generates rules for zones in the order that the zone declarations
appear
> > in /etc/shorewall/zones unless you modify the processing order using
the
> > explicit child-zone:parent-zone syntax, in which case the child zone
> > rules are generated first."
> >
> > That should be sufficient to say it is documented, but there probably
> > should be something more explicit about ordering (probably a reference
> > to Multiple_Zones.html) in
> > http://www.shorewall.net/manpages/shorewall-zones.html. Any comments,
> Tom?
> >
>
> and to
>
> http://www.shorewall.net/manpages/shorewall-nesting.html
>
> Jerry
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jerry Vonau wrote:> Paul Gear wrote:>> >> That should be sufficient to say it is documented, but there probably >> should be something more explicit about ordering (probably a reference >> to Multiple_Zones.html) in >> http://www.shorewall.net/manpages/shorewall-zones.html. Any comments, Tom? >> > > and to > > http://www.shorewall.net/manpages/shorewall-nesting.html >There is already a reference to the nesting manpage. I''ve added a reference to Multiple_Zones.html and I''ve stated explicitly that zone ordering determines the order in which addresses in packets are matched against zones. Note, however, that the order in which the zones are declared is only relevant when there are entries in the hosts file, and as Paul has pointed out, the hosts manpage already includes such a statement. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Jerry Vonau wrote: >> Paul Gear wrote: > >>> >>> That should be sufficient to say it is documented, but there probably >>> should be something more explicit about ordering (probably a reference >>> to Multiple_Zones.html) in >>> http://www.shorewall.net/manpages/shorewall-zones.html. Any >>> comments, Tom? >>> >> >> and to >> >> http://www.shorewall.net/manpages/shorewall-nesting.html >> > > There is already a reference to the nesting manpage.Sorry Tom, I was not clear. I was sort of expecting to see shorewall-nesting listed in the "See ALSO" section as is done with shorewall.conf and shorewall-hosts. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jerry Vonau wrote:> Sorry Tom, I was not clear. I was sort of expecting to see > shorewall-nesting listed in the "See ALSO" section as is done with > shorewall.conf and shorewall-hosts.Done. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/