Package: shorewall-common Version: 4.2.8-1 Severity: important Hi,
the IMPLICIT_CONTINUE change in shorewall.conf from Yes to No breaks working configurations that make use of nested zones. There is no NEWS entry or anything else to warn about this. A small example, single interface setup, shorewall runs as "personal firewall" on each host of a subnet 'xx' directly connected to the internet with some services only available to/from xx: /etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 xx:net ipv4 with xx being a subset (eth0:1.2.3.4/5) of net (eth0:0.0.0.0/0) defined in interfaces and hosts. A possible solution to this is to add some CONTINUE policies to /etc/shorewall/policy as in #SOURCE DEST POLICY LOG LEVEL $FW xx CONTINUE $FW net ACCEPT xx $FW CONTINUE net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE (Network xx was not listed in policy at all with shorewall 4.0.x/lenny). Depending on your setup, the CONTINUE policies may have to be adjusted. After this change there is still a diff in the generated rules: + run_iptables -A eth0_fwd -s 1.2.3.4/5 -o eth0 -d 0.0.0.0/0 -j all2all + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o eth0 -d 1.2.3.4/5 -j net2all i.e. no CONTINUE policy for forwarding from/to network xx, but this doesn't harm me as I don't use forwarding. Andreas -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (800, 'testing'), (800, 'stable'), (600, 'unstable'), (130, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages shorewall-common depends on: ii debconf [debconf-2.0] 1.5.26 Debian configuration management sy ii iproute 20090324-1 networking and traffic control too ii iptables 1.4.3.2-1 administration tools for packet fi shorewall-common recommends no packages. Versions of packages shorewall-common suggests: ii linux-image-2.6.24-1-amd 2.6.24-7 Linux 2.6.24 image on AMD64 ii linux-image-2.6.25-2-amd 2.6.25-7 Linux 2.6.25 image on AMD64 ii linux-image-2.6.26-1-amd 2.6.26-13lenny2 Linux 2.6.26 image on AMD64 ii linux-image-2.6.26-2-amd 2.6.26-15 Linux 2.6.26 image on AMD64 ii linux-image-2.6.28-1-amd 2.6.28-1 Linux 2.6.28 image on AMD64 ii linux-image-2.6.29-1-amd 2.6.29-3 Linux 2.6.29 image on AMD64 ii make 3.81-5 The GNU version of the "make" util pn shorewall-doc <none> (no description available) -- debconf information: shorewall-common/invalid_config: shorewall-common/major_release: shorewall-common/dont_restart: -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
