Hi, Paul Sorry I did not include the content of policy file. In the policy file, it has:
#SOURCE DEST POLICY LOG LEVEL LIMIT: CONNLIMIT: $FW net ACCEPT Net all DROP info All all DROP info >From the doc, is it supposed that rules file first then policy file? "For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied." Ruiyuan Jiang -----Original Message----- From: Paul Gear [mailto:[email protected]] Sent: Tuesday, July 17, 2012 5:06 PM To: [email protected] Subject: Re: [Shorewall-users] Policies for one interface On 18/07/12 01:52, Ruiyuan Jiang wrote: > Hi, > > I am new to shorewall and I am trying to setup shorewall (v4.5.5.4) on a > Redhat host to protect itself. As a test, I would setup a policy to allow > corporate hosts to access the Redhat through ssh, not from the rest. From the > host, it can initiate all the traffic out. > > I modified hosts, zones and rules files in /etc/shorewall: > ... > After I started shorewall, I noticed that the policy is "DROP" not "ACCEPT" > from corp to fw. Why? Thanks. > > [root@dmz1 shorewall]# shorewall show policies > Shorewall 4.5.5.4 Policies at dmz1.corp.com - Tue Jul 17 11:47:54 EDT 2012 > > fw => net ACCEPT using chain fw2net > fw => corp DROP using chain fw2corp > net => fw DROP using chain net2fw > net => corp DROP using chain net2corp > corp => fw DROP using chain corp2fw > corp => net DROP using chain corp2net > [root@njdmzrp1 shorewall]# Hi Ruiyuan, Shorewall won't start without a policy covering each interface combination, so you must also have something relevant in the policies file - what is it? I think you may be misunderstanding the policies and rules distinction. It might be worth reviewing the information about them in http://shorewall.net/Introduction.html#Concepts Regards, Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
