Explain how to combine the loc and fw zones

2025-01-22 13:39:06 +01:00 · 2009-08-16 10:17:48 -07:00 · 2009-08-16 10:17:48 -07:00 · 400a1ed647
commit 400a1ed647
parent 0557148bec
2 changed files with 20 additions and 4 deletions
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -350,6 +350,14 @@ $FW        net         ACCEPT</programlisting>
    those policies should be <ulink url="shorewall_logging.html">logged at
    that level</ulink>.</para>

+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
    <para>It is important to note that Shorewall policies (and rules) refer to
    <emphasis role="bold">connections</emphasis> and not packet flow. With the
    policies defined in the <filename
@ -1127,4 +1135,4 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    url="starting_and_stopping_shorewall.htm">Operating Shorewall and
    Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
  </section>
-</article>
+</article>
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -323,8 +323,6 @@ $FW        net         ACCEPT</programlisting> The above policy will:
    rejected under those policies should be <ulink
    url="shorewall_logging.html">logged at that level</ulink>.</para>

-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
    <para>It is important to note that Shorewall policies (and rules) refer to
    <emphasis role="bold">connections</emphasis> and not packet flow. With the
    policies defined in the <filename
@ -333,6 +331,16 @@ $FW        net         ACCEPT</programlisting> The above policy will:
    <emphasis>net</emphasis> zone even though connections are not allowed from
    the <emphasis>loc</emphasis> zone to the firewall itself.</para>

+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
    <para>At this point, edit your <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    and make any changes that you wish.</para>
@ -1134,4 +1142,4 @@ eth0                 wlan0</programlisting>
    requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
    documentation</ulink>.</para>
  </section>
-</article>
+</article>