On 5/11/13 4:10 PM, "Dash Four" <[email protected]> wrote:
> >Dash Four wrote: >> Tom Eastep wrote: >>> On 5/11/13 3:08 PM, "Dash Four" <[email protected]> wrote: >>> >>> >>>> I have a zone (lets call it "net"), which has more than one network >>>> device attached to it (all interfaces within that zone are optional) >>>> and >>>> also have a catch-all statement in my "policy" file "all all DROP", >>>> which, I assumed, will produce a DROP rule at the end of each >>>>zone2zone >>>> chain not explicitly defined in that file. >>>> >>>> That is indeed the case for 99% of the zones, but for the net2net >>>>chain >>>> I have ACCEPT rule at the end, not DROP. I am certain I do not have >>>>any >>>> such rule either in my "rules" or "policy" files, so I am wondering >>>> what >>>> is the cause for this? >>>> >>> >>> The default intra-zone policy is ACCEPT and that policy is not >>> overridden >>> by a wildcard policy (one with 'all' in the SOURCE and/or DEST). If you >>> want a DROP net->net policy then you must specify it explicitly. >>> >> Is this documented anywhere, because this is quite a hole I was >> unaware of? It seems inconsistent for 'all' to apply to everything >> else, except intra-zone policies (I do have 2 such zones and in both >> cases I have ACCEPT at the end). >Should I assume that this is also the case not only with "policy", but >for everything else as well (rules, blrules etc)? Do I have to specify >the default rules explicitly for intra-zone traffic in all those files? Sort of -- look for 'intra-' in shorewall-rules(5). -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
