If an address is in a zone, the rules for other zones aren't applied to it.
But since in this case "sshok" is a subzone of the "net" zone, you can
use a CONTINUE in policy to ensure the rule of the parent zone (in this
case "net") are also applied to it.
So try adding the following to the policy file (before any DROPs or
REJECTs):
sshok all CONTINUE
all ssok CONTINUE
(I know I said earlier it wouldn't be needed, but since you have other
rules like the one you described, then you do need it - sorry for any
confusion)
The "all ssh CONTINUE" can help if you have rules from anything to the
"net" zone and also want it to be applied to the "sshok" zone.
As an alternative, you can explicitly allow in the rules file:
Web(ACCEPT) net,sshok fw
BTW, I would advise to have the following in the policy file as the
first entry, in any case, to ensure the firewall can freely access anything:
$FW all ACCEPT
Hope this helps.
In this case, since the ssh
On 09/10/2023 17:56, Christophe PEREZ wrote:
Hi all,
I always have problems with this and I really need your help.
I don't understand the use of dynamic zones, and I ultimately wonder if it
meets my needs or not.
It seems like the operation is exclusive and that's not what I want.
I would just like the dynamic zone to grant me additional access, without
contradicting what is configured elsewhere in rules.
If I use dynamic zone as I do it, an IP in sshok zone is ACCEPTed for port
22, BUT REJECTed for the rest, even for what is ACCEPTed for all.
Example:
-------------------------------
with:
SSH(ACCEPT) sshok fw
Web(ACCEPT) net fw
and:
# shorewall show dynamic sshok
sshok:
my_dynamic_ip
Connection from my_dynamic_ip port 22 is ACCEPTed, but ALL others ports are
closed, and connections are REJECTed
And if:
# shorewall delete sshok my_dynamic_ip
Host my_dynamic_ip deleted from to zone sshok
Web connection is ACCEPTed and of course connection from my_dynamic_ip port
22 is REJECTed.
-------------------------------
Is what I wish possible or not? And if yes, how please?
Le Sun, 08 Oct 2023 10:31:29 -0400, Christophe PEREZ a écrit :
Ok nice !
But then why isn't this what we find in the docs?
They often speeks about net:+sshok.
Here for examplehttps://shorewall.org/ipsets.html
Le dimanche 08 octobre 2023 à 04:27 +0100, Rodrigo Araujo a écrit :
Or better yet, just replace the ssh accept rule with:
SSH(ACCEPT) sshok fw
Like this you won't need that like in the policy file.
On Sun, 8 Oct 2023, 04:23 Christophe PEREZ,<ch...@novazur.fr> wrote:
Seems I just needed a line added in policy sshok all
CONTINUE
Le samedi 07 octobre 2023 à 19:24 -0400, Christophe PEREZ a écrit :
Now that I have finally managed to activate the dynamic zones, I
would like to be able to use them to allow ssh access to my FW on
the fly.
I only have one interface: eth0
zones:
fw firewall net ipv4 sshok:net
ipv4 dynamic_shared
hosts:
sshok eth0:dynamic
policy:
net all DROP info all
all REJECT info
rules:
SSH(ACCEPT) net:+sshok fw
But my access is REJECTed:
Oct 8 01:17:20 myfw kernel: [2589.152380] sshok-fw REJECT IN=eth0
OUT=
MAC=fa:16:3e:77:ac:2a:2a:9c:dc:33:c6:4b:08: 00 SRC=ssh_client_IP
DST=fw_ip LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5951 DF PROTO=TCP
SPT=29346 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
What is my mistake please?
_______________________________________________
Shorewall-users mailing listshorewall-us...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
