What exactly is the difference between these two? I have read: http://www.shorewall.net/manpages/shorewall-policy.html And the information there does not clearify the difference for me. My understanding of Drop is if there is no rule for the connection, then Drop it. This box is just a gateway. I do not want it doing anything with packets from/to External and Internal, but to protect the gateway itself from all but selected connections. So I have my policy as: all fw DROP info fw all DROP info To this do I add: Int Ext Accept Ext Int Accept Or use Continue? BTW, my rules are: ACCEPT all all icmp ACCEPT all fw tcp 7722 ACCEPT all fw tcp 10000 ACCEPT Int fw tcp 5902:5903 Ports 7722 and 10000 are encrypted connections so allowed from Ext. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> What exactly is the difference between these two? > > I have read: http://www.shorewall.net/manpages/shorewall-policy.html > > And the information there does not clearify the difference for me.- A connection request that matches an ACCEPT is accepted. Period. - A connection request that matches a CONTINUE is accepted _unless_ another policy located below in the policy file says otherwise.> My understanding of Drop is if there is no rule for the connection, then > Drop it.- A connection request that matches a DROP is dropped.> This box is just a gateway. I do not want it doing anything with > packets from/to External and Internal, but to protect the gateway itself > from all but selected connections. So I have my policy as: > > all fw DROP info > fw all DROP info > > > To this do I add: > > Int Ext Accept > Ext Int Accept > > Or use Continue? > > BTW, my rules are: > > ACCEPT all all icmp > ACCEPT all fw tcp 7722 > ACCEPT all fw tcp 10000 > ACCEPT Int fw tcp 5902:5903 > > > Ports 7722 and 10000 are encrypted connections so allowed from Ext. > > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08-- /Martin Leben The email-adress is dated and will work until it attracts spam. My permanent address is <[firstname]@[lastname].nu>. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Hi (again) Robert, I hit "send" by mistake before I was finished... Martin Leben wrote:> Robert Moskowitz wrote: >> What exactly is the difference between these two? >> >> I have read: http://www.shorewall.net/manpages/shorewall-policy.html >> >> And the information there does not clearify the difference for me. > > > - A connection request that matches an ACCEPT is accepted. Period. > - A connection request that matches a CONTINUE is accepted _unless_ another > policy located below in the policy file says otherwise.CONTINUE is useful when having nested zones. See <http://www.shorewall.net/manpages/shorewall-nesting.html>.>> My understanding of Drop is if there is no rule for the connection, then >> Drop it. > > - A connection request that matches a DROP is dropped. > > >> This box is just a gateway. I do not want it doing anything with >> packets from/to External and Internal, but to protect the gateway itself >> from all but selected connections. So I have my policy as: >> >> all fw DROP info >> fw all DROP info >> >> >> To this do I add: >> >> Int Ext Accept >> Ext Int Accept >> >> Or use Continue?No, accept is correct.>> BTW, my rules are: >> >> ACCEPT all all icmp >> ACCEPT all fw tcp 7722 >> ACCEPT all fw tcp 10000 >> ACCEPT Int fw tcp 5902:5903Looks good to me. I am no shorewall expert, so I fully expect to be corrected if I am mistaken about anything above. :-) Best regards, /Martin Leben ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> What exactly is the difference between these two? > > I have read: http://www.shorewall.net/manpages/shorewall-policy.html > > And the information there does not clearify the difference for me.As stated in that man page, CONTINUE is only appropriate when you have nested zones. http://www.shorewall.net/manpages/shorewall-nesting.html.> > My understanding of Drop is if there is no rule for the connection, then > Drop it. > > This box is just a gateway. I do not want it doing anything with > packets from/to External and Internal, but to protect the gateway itself > from all but selected connections. So I have my policy as: > > all fw DROP info > fw all DROP info > > > To this do I add: > > Int Ext Accept > Ext Int Accept > > Or use Continue?No. When there is a policy such as this: A B CONTINUE then if no A->B rule matches a connection from A to B but if A is a sub-zone of C then the connection will be matched against the C->B rules. If no rule there matches, the connection will be handled under the effective C->B policy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Thanks Tom. Now I got it! Tom Eastep wrote:> Robert Moskowitz wrote: >> What exactly is the difference between these two? >> >> I have read: http://www.shorewall.net/manpages/shorewall-policy.html >> >> And the information there does not clearify the difference for me. > > As stated in that man page, CONTINUE is only appropriate when you have > nested zones. http://www.shorewall.net/manpages/shorewall-nesting.html. >> >> My understanding of Drop is if there is no rule for the connection, >> then Drop it. >> >> This box is just a gateway. I do not want it doing anything with >> packets from/to External and Internal, but to protect the gateway >> itself from all but selected connections. So I have my policy as: >> >> all fw DROP info >> fw all DROP info >> >> >> To this do I add: >> >> Int Ext Accept >> Ext Int Accept >> >> Or use Continue? > > No. When there is a policy such as this: > > A B CONTINUE > > then if no A->B rule matches a connection from A to B but if A is a > sub-zone of C then the connection will be matched against the C->B > rules. If no rule there matches, the connection will be handled under > the effective C->B policy. > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08