extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make intra-zone policies more rational

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-18 21:39:30 +00:00
parent e4433f4b8f
commit e130bc9f60
4 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -9,6 +9,8 @@ Changes in 2.5.3
4) Allow exclusion lists in actions. 4) Allow exclusion lists in actions.
5) Make intra-zone policies more rational.
Changes in 2.5.2 Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting. 1) Allow port lists in /etc/sorewall/accounting.

6
Shorewall/firewall
View File

@ -1480,7 +1480,11 @@ validate_policy()
chain=${client}2${server} chain=${client}2${server}
if is_policy_chain $chain ; then if is_policy_chain $chain ; then
startup_error "Duplicate policy: $client $server $policy" if eval test \$${chain}_is_optional = Yes ; then
eval ${chain}_is_optional=
else
startup_error "Duplicate policy: $client $server $policy"
fi
fi fi
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=

6
Shorewall/policy
View File

@ -13,8 +13,10 @@
# INTRA-ZONE POLICIES ARE PRE-DEFINED # INTRA-ZONE POLICIES ARE PRE-DEFINED
# #
# For $FW and for all of the zoned defined in /etc/shorewall/zones, # For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT and may # the POLICY for connections from the zone to itself is ACCEPT (with no
# not be modified by entries in this file. # logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
# #
# Columns are: # Columns are:
# #

20
Shorewall/releasenotes.txt
View File

@ -17,6 +17,26 @@ New Features in Shorewall 2.5.3
scripts. The value of this variable is sometimes of interest to scripts. The value of this variable is sometimes of interest to
programmers providing custom /etc/shorewall/tcstart scripts. programmers providing custom /etc/shorewall/tcstart scripts.
4) Previously, if you defined any intra-zone rule(s) then any traffic
not matching the rule(s) was subject to normal policies (which
usually turned out to involve the all->all REJECT policy). Now, the
intra-zone ACCEPT policy will still be in effect in the presense of
intra-zone rules. That policy can still be overridden by an
explicit policy in your /etc/shorewall/policy file.
Example:
/etc/shorewall/rules:
DNAT fw loc:192.168.1.4:3128 tcp 80
Any other fw->fw traffic will still be accepted. If you want to
also log that fw->fw traffic at the info log level then add this to
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL
fw fw ACCEPT info
Problems Corrected in 2.5.2: Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting 1) You may now include port lists in in the /etc/shorewall/accounting