holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add note about connections vs. packet flow in the multi-interface QuickStart Guides

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-11-10 18:45:06 +00:00
parent d81ff4ab20
commit 12c0c5b40c
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-12-02</pubdate> <pubdate>2005-11-10</pubdate>
<copyright> <copyright>
<year>2002-2005</year> <year>2002-2005</year>
@ -312,6 +312,14 @@ $FW net ACCEPT</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the
policies defined in the <filename
class="directory">/etc/shorewall/policy</filename> file shown above,
connections are allowed from the <emphasis>loc</emphasis> zone to the
<emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename> <para>At this point, edit your <filename>/etc/shorewall/policy</filename>

12
Shorewall-docs2/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2005-11-02</pubdate> <pubdate>2005-11-10</pubdate>
<copyright> <copyright>
<year>2002-</year> <year>2002-</year>
@ -260,7 +260,7 @@ loc ipv4</programlisting>Zones are defined in the <ulink
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting> In the two-interface all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
@ -287,6 +287,14 @@ $FW net ACCEPT</programlisting> The above policy will:
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif" </itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para> format="GIF" /></para>
<para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the
policies defined in the <filename
class="directory">/etc/shorewall/policy</filename> file shown above,
connections are allowed from the <emphasis>loc</emphasis> zone to the
<emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para>At this point, edit your <filename <para>At this point, edit your <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
and make any changes that you wish.</para> and make any changes that you wish.</para>