On 8/25/2015 12:39 AM, Vieri Di Paola wrote:
> Hi,
> I'm not sure I correclty understand how nested zones work in Shorewall.
> My zones file includes these 2 zones:
> caib ipv4ibs:caib ipv4
> My policy file is as shown below regarding the ibs child zone alone
("caib ibs CONTINUE" doesn't make much sense, does it?):
> # grep ibs policy
> lan ibs CONTINUE info
> wan ibs CONTINUE info
> dmz ibs CONTINUE info
> ibs all CONTINUE info
> caib ibs CONTINUE info
> road ibs CONTINUE info
> vpn1 ibs CONTINUE info
> vpn2 ibs CONTINUE info
> ovpn ibs CONTINUE info
> $FW ibs CONTINUE info
>
> As I understand it, client connection requests between eg. the "lan"
zone and the "ibs" zone should first be processed under the "lan/caib"
rules and if there is no match then the connection request should be
treated under "lan/ibs" rules.Other way around -- ibs is a sub-zone of caib so the traffic is first processed under the lan->ibs rules and if there is no match, it is then processed under the lan->caib rules. Note that ibs must actually be a sub-zone so that traffic to ibs will also be processed as traffic to caib. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
