I.S.C. William wrote: >For it is exactly what I want, block all access to the local network >(loc) to internet (net) and similar as net2loc, that only can select >that port open. > >You say that I need one more rule, I could mention that but I need >to accomplish this?
You need to take a step back. It's not enough to talk about blocking traffic TO a zone, all policies apply to traffic FROM one zone TO another zone. These zones are the first and second columns of the policy file. I'd suggest you should make a full list of all the zone-zone combinations like this : fw loc fw net fw vpn loc fw loc loc loc net loc vpn net fw net loc net vpn vpn fw vpn loc vpn net all all I've included loc-loc, that's only needed if you have more than one network in your loc zone and the firewall is passing traffic between them. All-all is a 'catch all' for anything not more explicitly listed. Against each combination, decide whether you want to allow traffic (ACCEPT), or block it (DROP or REJECT). The difference between DROP and REJECT is that DROP will silently discard the packet, while REJECT will reply to the packet (an ICMP response I think, but that could be wrong). It's common to use REJECT for outbound traffic (any->net, so your internal clients "fail" quickly rather than doing nothing for a while and then failing), and DROP for inbound traffic (net->any, so an attacker just gets no response to probes). Once you've decided on the policy, only then do you think about rules. The POLICY applies to all traffic between the two zones which isn't mentioned in a RULE, rules apply to specific traffic with more detailed criteria. If you have an ACCEPT policy, then all traffic is allowed unless you have a rule which blocks it. Eg, if you generally want outbound traffic allowed (policy - loc net ACCEPT), but wanted to prevent SMTP traffic that didn't come from your internal firewall, you might add the RULEs : SMTP/ACCEPT loc:<mail server ip> net SMTP/REJECT loc net These rules explicitly allow mail from your mail server (so it's not caught by the next rule), and then reject anything else. If you have a REJECT or DROP policy, then you'll need rules to allow all traffic you want to allow. So for the same mail, you'd just need one RULE : SMTP/ACCEPT loc:<mail server ip> net -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
