On Fri, 2007-08-17 at 15:19 -0700, Tom Eastep wrote: > Tom Eastep wrote: > > Bulgrien, Kevin wrote: > > > >> I have sent etc_shorewall_net2fw.tar.bz2 to you directly instead of > >> over the list. > >> > > > > Your net->all policy is CONTINUE. Since 'net' is not a sub-zone of any other > > zone, rules from net->fw fall off the end of the world. > > In other words, if you change your net->all policy to DROP or REJECT, then > you won't need to extra rule. > > I've added a patch to 4.0.3 (Shell and Perl) to avoid this problem in the > future
The patch also causes Shorewall-perl to warn when a CONTINUE policy is between orphan zones (zones with no parent zones): Compiling /home/teastep/Kevin/shorewall/policy... WARNING: CONTINUE policy between orphan zones (net, fw) : /home/teastep/Kevin/shorewall/policy (line 106) WARNING: CONTINUE policy between orphan zones (net, dnd) : /home/teastep/Kevin/shorewall/policy (line 106) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
