Colin Alston wrote: > I've been digging through the various manuals and am a bit irritated > with limitation on the rules system > > Why do I have to specify a source zone to allow a source IP range on all > zones? There is no iptables requirement for anything more than a source > address, so I don't understand why all:<ip> does not just add an accept > rule into the head of the INPUT chain or even simply assume expanding > that rule to all zones.
Shorewall uses the keyword 'all' rather than 'any' to mean "All zones". It is implemented by expanding 'all' into a list of all of the zones. By definition, SOURCE = 'all:<ip>' implies that packets with the given source IP address can originate both on the firewall itself and outside of the firewall. Clearly, that isn't possible in any sane network. Similarly, where ipsec is involved, the rule says "I don't care whether traffic from this IP address is encrypted or not". So I believe a rule with such a SOURCE would imply that the user isn't thinking clearly about his firewall requirements. 'all-:<ip>' is somewhat more palatable in that it at least restricts <ip> to non-firewall zones. But the bottom line is that 'all-:<ip>' will, in most configurations, generate extra rules that can't possiblly be validly matched. And that isn't a good thing in a firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
