PETER EASTHOPE wrote:
Folk,Is there ever a case for the same zone being specified for SOURCE and DEST in a policy or rule?ExampleA LAN has a router/firewall machine, FTP server and some other machines which need access to the FTP server through the router/firewall. Is this rule needed? FTP/ACCEPT loc locI've made a small effort to find the answer in the documentation and failed of course.
From 'man shorewall-policy' output:
Intra-zone policies are pre-defined
For $FW and for all of the zones defined in /etc/shorewall/zones,
the POLICY for connections from the zone to itself is ACCEPT
(with no logging or TCP connection rate limiting but may be
overridden by an entry in this file. The overriding entry must be
explicit (cannot use "all" in the SOURCE or DEST).
So intra-zone ACCEPT rules are not required. Note though, that if intra-zone
traffic requires routing traffic out of the same traffic that it arrived on,
then the 'routeback' option must be specified on that interface in
/etc/shorewall/interfaces.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
