extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make intra-zone policies more rational

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-18 21:39:30 +00:00
parent e4433f4b8f
commit e130bc9f60
4 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -9,6 +9,8 @@ Changes in 2.5.3
4) Allow exclusion lists in actions.
5) Make intra-zone policies more rational.
Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting.

4
Shorewall/firewall
View File

@ -1480,8 +1480,12 @@ validate_policy()
chain=${client}2${server}
if is_policy_chain $chain ; then
if eval test \$${chain}_is_optional = Yes ; then
eval ${chain}_is_optional=
else
startup_error "Duplicate policy: $client $server $policy"
fi
fi
[ "x$loglevel" = "x-" ] && loglevel=
[ "x$synparms" = "x-" ] && synparms=

6
Shorewall/policy
View File

@ -13,8 +13,10 @@
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT and may
# not be modified by entries in this file.
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are:
#

20
Shorewall/releasenotes.txt
View File

@ -17,6 +17,26 @@ New Features in Shorewall 2.5.3
scripts. The value of this variable is sometimes of interest to
programmers providing custom /etc/shorewall/tcstart scripts.
4) Previously, if you defined any intra-zone rule(s) then any traffic
not matching the rule(s) was subject to normal policies (which
usually turned out to involve the all->all REJECT policy). Now, the
intra-zone ACCEPT policy will still be in effect in the presense of
intra-zone rules. That policy can still be overridden by an
explicit policy in your /etc/shorewall/policy file.
Example:
/etc/shorewall/rules:
DNAT fw loc:192.168.1.4:3128 tcp 80
Any other fw->fw traffic will still be accepted. If you want to
also log that fw->fw traffic at the info log level then add this to
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL
fw fw ACCEPT info
Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting