Many thanks Paul, What if the nested zones are on different interfaces? In this case two is a subnet of one but is connected on a separate interface. Is it correct to define:
zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall one ipv4 two:one ipv4 interfaces: #ZONE INTERFACE BROADCAST OPTIONS one eth0 detect routefilter,logmartians,tcpflags,nosmurfs two eth1 detect routefilter,logmartians,tcpflags,nosmurfs in this specific case the hosts file will remain empty. Thanks, Bye, Marco Paul Gear wrote: > Marco Romano wrote: > >> LAN server, single ethernet interface. >> By defining two zones in the shorewall hosts file as: >> >> #ZONE HOST(S) OPTIONS >> one eth0:10.0.0.0/8 tcpflags,nosmurfs >> two eth0:10.1.0.0/16 tcpflags,nosmurfs >> >> Is this correct? >> Because zone "two" is a subnetwork of zone "one" will packets arriving >> from 10.1.0.0/16 addresses always be correctly processed? >> Is there a chance for the firewall to erroneously process a packet >> coming from zone "two" (by applying rules for zone "one"?). >> Does the order in which the zone are defined (in the hosts file or the >> zones file) make difference in this specific case? >> > > The order (in the zones file) makes a difference, but you should also > tell shorewall that two is a subzone of one by specifying them in > two:one format in the zones file. > > You can see which zone is being processed first by running > shorewall show eth0_in > or shorewall show eth0_fwd > > See http://www.shorewall.net/Documentation.htm#Zones for more > information about zone ordering. > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
