On Sat, 2012-01-14 at 23:08 -0800, Christ Schlacta wrote: > my major question is.. I want to be able to set up a policy or a rule > similar to: > ACCEPT lan(+all child zones) wan tcp port. > > and I also want to know, what happens when a packet is allowed by one > rule, but disallowed by another rule? for example, if I add another > Dynamic zone "Special users" (spu:lan), and add someone in the usr zone > to the spu zone. do they match the usr or the spu, or the lan zone > policy and rule, if the rules are in conflict? > Example rule conflict: > SSH(REJECT) lan $FW > SSH(DROP) usr $FW > SSH(ACCEPT) spu $FW
There are several considerations here:
1. If you set IMPLICIT_CONTINUE=Yes in shorewall.conf, then any
connection that doesn't match any subzone rule is automatically
passed on to the parent zone's rules.
2. Child zones will always be checked before the parent zone.
3. If a host is in more than one child zone, then connections
to/from that host will be passed to the child zones rules in the
order in which the child zones appear in /etc/shorewall/zones.
Hope that helps,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
