extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 13:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Explain how to combine the loc and fw zones

Browse Source
This commit is contained in:
Tom Eastep 2009-08-16 10:17:48 -07:00
parent 0557148bec
commit 400a1ed647
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/three-interface.xml
View File

@ -350,6 +350,14 @@ $FW net ACCEPT</programlisting>
those policies should be <ulink url="shorewall_logging.html">logged at those policies should be <ulink url="shorewall_logging.html">logged at
that level</ulink>.</para> that level</ulink>.</para>
<para>Some people want to consider their firewall to be part of their
local network from a security perspective. If you want to do this, add
these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc $FW ACCEPT
$FW loc ACCEPT</programlisting>
<para>It is important to note that Shorewall policies (and rules) refer to <para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the <emphasis role="bold">connections</emphasis> and not packet flow. With the
policies defined in the <filename policies defined in the <filename
@ -1127,4 +1135,4 @@ ACCEPT net $FW tcp 80 </programlisting><it
url="starting_and_stopping_shorewall.htm">Operating Shorewall and url="starting_and_stopping_shorewall.htm">Operating Shorewall and
Shorewall Lite</ulink> contains a lot of useful operational hints.</para> Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
</section> </section>
</article> </article>

14
docs/two-interface.xml
View File

@ -323,8 +323,6 @@ $FW net ACCEPT</programlisting> The above policy will:
rejected under those policies should be <ulink rejected under those policies should be <ulink
url="shorewall_logging.html">logged at that level</ulink>.</para> url="shorewall_logging.html">logged at that level</ulink>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>It is important to note that Shorewall policies (and rules) refer to <para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the <emphasis role="bold">connections</emphasis> and not packet flow. With the
policies defined in the <filename policies defined in the <filename
@ -333,6 +331,16 @@ $FW net ACCEPT</programlisting> The above policy will:
<emphasis>net</emphasis> zone even though connections are not allowed from <emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para> the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para>Some people want to consider their firewall to be part of their
local network from a security perspective. If you want to do this, add
these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc $FW ACCEPT
$FW loc ACCEPT</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>At this point, edit your <filename <para>At this point, edit your <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
and make any changes that you wish.</para> and make any changes that you wish.</para>
@ -1134,4 +1142,4 @@ eth0 wlan0</programlisting>
requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
documentation</ulink>.</para> documentation</ulink>.</para>
</section> </section>
</article> </article>