Ok nice ! But then why isn't this what we find in the docs? They often speeks about net:+sshok.
Here for example https://shorewall.org/ipsets.html Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit : > Or better yet, just replace the ssh accept rule with: > > SSH(ACCEPT) sshok fw > > Like this you won't need that like in the policy file. > > On Sun, 8 Oct 2023, 04:23 Christophe PEREZ, <ch...@novazur.fr> wrote: > > Seems I just needed a line added in policy > > sshok all CONTINUE > > > > Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit : > > > Now that I have finally managed to activate the dynamic zones, I > > > would > > > like to be able to use them to allow ssh access to my FW on the > > > fly. > > > I only have one interface: eth0 > > > > > > zones: > > > fw firewall > > > net ipv4 > > > sshok:net ipv4 dynamic_shared > > > > > > hosts: > > > sshok eth0:dynamic > > > > > > policy: > > > net all DROP info > > > all all REJECT info > > > > > > rules: > > > SSH(ACCEPT) net:+sshok fw > > > > > > > > > But my access is REJECTed: > > > Oct 8 01:17:20 myfw kernel: [2589.152380] sshok-fw REJECT IN=eth0 > > > OUT= > > > MAC=fa:16:3e:77:ac:2a:2a:9c:dc:33:c6:4b:08: 00 SRC=ssh_client_IP > > > DST=fw_ip LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5951 DF PROTO=TCP > > > SPT=29346 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > > > What is my mistake please? > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Christophe _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
