Tom Eastep wrote: > On 5/11/13 4:10 PM, "Dash Four" <[email protected]> wrote: > > >> Dash Four wrote: >> >>> Tom Eastep wrote: >>> >>>> On 5/11/13 3:08 PM, "Dash Four" <[email protected]> wrote: >>>> >>>> >>>> >>>>> I have a zone (lets call it "net"), which has more than one network >>>>> device attached to it (all interfaces within that zone are optional) >>>>> and >>>>> also have a catch-all statement in my "policy" file "all all DROP", >>>>> which, I assumed, will produce a DROP rule at the end of each >>>>> zone2zone >>>>> chain not explicitly defined in that file. >>>>> >>>>> That is indeed the case for 99% of the zones, but for the net2net >>>>> chain >>>>> I have ACCEPT rule at the end, not DROP. I am certain I do not have >>>>> any >>>>> such rule either in my "rules" or "policy" files, so I am wondering >>>>> what >>>>> is the cause for this? >>>>> >>>>> >>>> The default intra-zone policy is ACCEPT and that policy is not >>>> overridden >>>> by a wildcard policy (one with 'all' in the SOURCE and/or DEST). If you >>>> want a DROP net->net policy then you must specify it explicitly. >>>> >>>> >>> Is this documented anywhere, because this is quite a hole I was >>> unaware of? It seems inconsistent for 'all' to apply to everything >>> else, except intra-zone policies (I do have 2 such zones and in both >>> cases I have ACCEPT at the end). >>> >> Should I assume that this is also the case not only with "policy", but >> for everything else as well (rules, blrules etc)? Do I have to specify >> the default rules explicitly for intra-zone traffic in all those files? >> > > Sort of -- look for 'intra-' in shorewall-rules(5). > In other words, if I use all+ that will capture intra-zone traffic, right? If so, it is a pity that all+ cannot be specified in "policy" and I have to revert to this sort of gimmicks.
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
