-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/10/2016 08:05 PM, Ob Noxious wrote:
> Hi,
>
> On a host with 1 physical interface (internet) and several
> internal bridges where LXC VMs (veth) are attached to different
> subnets. Everything runs fine, nothing to complain about.
>
> My policy file looks like this :
>
> $FW { dest=all policy=ACCEPT } dmz1,dmz2 { dest=dmz1,dmz2+
> policy=REJECT loglevel=info } all { dest=all policy=DROP
> loglevel=info }
>
> In the rules file, I have the following line :
>
> ?SECTION ALL Ping(ACCEPT) { source=all dest=all rate=100/sec }
>
> And then the remaining sections and all the needed rules under
> "?SECTION NEW"
>
> With this setup here's what happens :
>
> Ping from FW to any dmz zone (dmz1 or dmz2) => Works as expected
> Ping frow any VM in any dmz zone (dmz1 or dmz2) to FW => Works as
> expected Ping from any VM in any dmz zone to any other VM in any
> other dmz zone => Works as expected
>
> However : Ping from any VM in any dmz zone to any other VM in the
> *SAME* dmz zone => Destination host unreachable!
>
> It triggers the Shorewall interzone filtering
> "Shorewall:dmz1-dmz1:REJECT:..."
>
> "shorewall show" reflects the "Ping(ACCEPT)" rule is set in every
> possible zone-to-zone combination EXCEPT the
> "samezone-to-samezone" chain (ie: dmz1-to-dmz1). Shouldn't this
> chain contain the rule when "source/dest=all" AND zone-to-zone
> policy is NOT ACCEPT?
>
> What's your view on that?
Your rule should be:
Ping(ACCEPT) { source=all dest=all+ rate=100/sec }
(Note the plus sign)
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX/QT2AAoJEJbms/JCOk0QD7kP/j+G9aq5aTiwcWfE73OhDvwP
HmFPoJgTIFT6ul8PBMf8BJFXpu42ZslFWQ7HPZZ/5kcsj6TemVtuq+QE6UfCgVPL
gLrzArbj2/63r8qt/Dr1kQUJ21hUkFO6s9Vzf8ffVbgg3D6DQAL71M24PLkFlXii
8EO9FPOm1Nn318QBaih7d6nDgsq/ESFzHXuPTIVYDwAvFA62Mlzev1FO2iy3UjRi
nZbtm/hVncX7vExrH2N35O7tBLeffcy+BQltCmEuE1cNpUDGXKidCw2aX2b2saJN
try7EFnqDdM++nL9Xn2Cks2keStu6Sx/aToWtH8XNJldorRkEpGI6s8w/+79mGoA
NgpSVBGHT4T3aeSTsJsLaaEM/5VrhhKKCpf0ybtKY2Drm2WoYny4pL7ldJ9a/kIb
9Es4c+szp4KpbgIo00uSjbA02goke80kqYK+avMLatQ6npaDvvLE8amDXu8H3Rc2
ZCity6FV+4vLYIvmNa5p6j9hy9pS8Vur+8Ana27CPIkOoVqqH/VweDANOySfBLDO
r9/EZi1HMttw8g8gSFqz6wgL/FSf4cnlWIFTy5f0UGNg0crNzepEfRp74biAW3WL
Oyi249Zz1SDfM9T+AJAv2u8cpr1+v7UcT8t6uGKDqE8Lny93k5Qz8Rhn3HuwAma2
IDLomfSEgoQ16O6N2nBE
=jAZc
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
