Make intra-zone policies more rational

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-02 02:49:54 +01:00 · 2005-08-18 21:39:30 +00:00 · 2005-08-18 21:39:30 +00:00 · e130bc9f60
commit e130bc9f60
parent e4433f4b8f
4 changed files with 31 additions and 3 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -9,6 +9,8 @@ Changes in 2.5.3

 4) Allow exclusion lists in actions.

+5) Make intra-zone policies more rational.
+
 Changes in 2.5.2

 1) Allow port lists in /etc/sorewall/accounting.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1480,7 +1480,11 @@ validate_policy()
 	chain=${client}2${server}

 	if is_policy_chain $chain ; then
-	    startup_error "Duplicate policy: $client $server $policy"
+	    if eval test \$${chain}_is_optional = Yes ; then
+		eval ${chain}_is_optional=
+	    else
+		startup_error "Duplicate policy: $client $server $policy"
+	    fi
 	fi

 	[ "x$loglevel"  = "x-" ] && loglevel=
--- a/Shorewall/policy
+++ b/Shorewall/policy
@ -13,8 +13,10 @@
 #	                INTRA-ZONE POLICIES ARE PRE-DEFINED
 #
 #	For $FW and for all of the zoned defined in /etc/shorewall/zones,
-#	the POLICY for connections from the zone to itself is ACCEPT and may
-#	not be modified by entries in this file. 
+#	the POLICY for connections from the zone to itself is ACCEPT (with no
+#	logging or TCP connection rate limiting but may be overridden by an
+#	entry in this file. The overriding entry must be explicit (cannot use
+#	"all" in the SOURCE or DEST).
 #
 # Columns are:
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -17,6 +17,26 @@ New Features in Shorewall 2.5.3
    scripts. The value of this variable is sometimes of interest to
    programmers providing custom /etc/shorewall/tcstart scripts.

+4)  Previously, if you defined any intra-zone rule(s) then any traffic
+    not matching the rule(s) was subject to normal policies (which
+    usually turned out to involve the all->all REJECT policy). Now, the
+    intra-zone ACCEPT policy will still be in effect in the presense of
+    intra-zone rules. That policy can still be overridden by an
+    explicit policy in your /etc/shorewall/policy file.
+
+    Example:
+
+    /etc/shorewall/rules:
+
+    DNAT	fw	 loc:192.168.1.4:3128	tcp	80
+
+    Any other fw->fw traffic will still be accepted. If you want to
+    also log that fw->fw traffic at the info log level then add this to
+    /etc/shorewall/policy:
+
+    #SOURCE	DEST	POLICY	LOG LEVEL
+    fw		fw	ACCEPT	info
+
 Problems Corrected in 2.5.2:

 1) You may now include port lists in in the /etc/shorewall/accounting