On 2/17/19 7:26 PM, ObNox wrote:
> On 16/02/2019 00:22, Tom Eastep wrote:
>
>> Shorewall 5.2.3 is now available for download.
>>
>> New Features:
>>
>> 1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
>> policy file.
>>
>> 2) With the availability of zone exclusion in the rules file, 'all[+]-'
>> and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
>> respectively. Beginning with this release, the former are
>> deprecated in favor of the latter and will result in a warning
>> message, if used.
>
> Unfortunately, I wasn't able to test Shorewall during the beta phase, so
> I discover this with the release version :
>
> I modified my "policy" file to reflect the changes above but I faced an
> issue :
>
> # shorewall ck
> Checking using Shorewall 5.2.3...
> ERROR: 'all' is not allowed in a source zone list
> /etc/shorewall/policy (line 8)
>
> The relevant part of the policy file :
>
> ${FW} { dest=all policy=ACCEPT }
>
> all!${FW},net { dest=all+!${FW},net policy=REJECT loglevel=info }
>
> all { dest=all policy=DROP loglevel=info }
>
> And according to the docs -
> http://shorewall.net/manpages/shorewall-policy.html - there's nothing
> preventing that syntax.
>
> The second line exactly reflects exactly what I want : all zones except
> "$FW" and "net" should REJECT packets from other zones, even between
> themselves.
>
> What's wrong with that then?
>
> Thanks for any advice.
>
> PS: Previously, SOURCE and DEST were "zone1,zone2,zone3" and
> "zone1,zone2,zone3+" respectively.
> Please give the attached patch a try. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 35d093f01..5793a8d5f 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -836,11 +836,15 @@ sub process_a_policy() {
my ( $intrazone, $clientlist, $serverlist );
- if ( $clientlist = ( $clients =~ /,/ ) ) {
+ if ( $clients =~ /^all(\+)?!/ ) {
+ $intrazone = $1;
+ } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
$intrazone = ( $clients =~ s/\+$// );
}
- if ( $serverlist = ( $servers =~ /,/ ) ) {
+ if ( $servers =~ /^all(\+)?!/ ) {
+ $intrazone = $1;
+ } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
$intrazone ||= ( $servers =~ s/\+$// );
}
@@ -857,7 +861,7 @@ sub process_a_policy() {
}
}
} else {
- process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+ process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
}
}
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
