Hi all,
I always have problems with this and I really need your help.
I don't understand the use of dynamic zones, and I ultimately wonder if it
meets my needs or not.
It seems like the operation is exclusive and that's not what I want.
I would just like the dynamic zone to grant me additional access, without
contradicting what is configured elsewhere in rules.
If I use dynamic zone as I do it, an IP in sshok zone is ACCEPTed for port
22, BUT REJECTed for the rest, even for what is ACCEPTed for all.
Example:
-------------------------------
with:
SSH(ACCEPT) sshok fw
Web(ACCEPT) net fw
and:
# shorewall show dynamic sshok
sshok:
my_dynamic_ip
Connection from my_dynamic_ip port 22 is ACCEPTed, but ALL others ports are
closed, and connections are REJECTed
And if:
# shorewall delete sshok my_dynamic_ip
Host my_dynamic_ip deleted from to zone sshok
Web connection is ACCEPTed and of course connection from my_dynamic_ip port
22 is REJECTed.
-------------------------------
Is what I wish possible or not? And if yes, how please?
Le Sun, 08 Oct 2023 10:31:29 -0400, Christophe PEREZ a écrit :
> Ok nice !
> But then why isn't this what we find in the docs?
>
> They often speeks about net:+sshok.
>
> Here for example https://shorewall.org/ipsets.html
>
> Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit :
>> Or better yet, just replace the ssh accept rule with:
>>
>> SSH(ACCEPT) sshok fw
>>
>> Like this you won't need that like in the policy file.
>>
>> On Sun, 8 Oct 2023, 04:23 Christophe PEREZ, <ch...@novazur.fr> wrote:
>> > Seems I just needed a line added in policy sshok all
>> > CONTINUE
>> >
>> > Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit :
>> > > Now that I have finally managed to activate the dynamic zones, I
>> > > would like to be able to use them to allow ssh access to my FW on
>> > > the fly.
>> > > I only have one interface: eth0
>> > >
>> > > zones:
>> > > fw firewall net ipv4 sshok:net
>> > > ipv4 dynamic_shared
>> > >
>> > > hosts:
>> > > sshok eth0:dynamic
>> > >
>> > > policy:
>> > > net all DROP info all
>> > > all REJECT info
>> > >
>> > > rules:
>> > > SSH(ACCEPT) net:+sshok fw
>> > >
>> > >
>> > > But my access is REJECTed:
>> > > Oct 8 01:17:20 myfw kernel: [2589.152380] sshok-fw REJECT IN=eth0
>> > > OUT=
>> > > MAC=fa:16:3e:77:ac:2a:2a:9c:dc:33:c6:4b:08: 00 SRC=ssh_client_IP
>> > > DST=fw_ip LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5951 DF PROTO=TCP
>> > > SPT=29346 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>> > >
>> > > What is my mistake please?
>> >
>> > _______________________________________________
>> > Shorewall-users mailing list Shorewall-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
