Sorry I did not include the content of policy file. In the policy file, it has:
#SOURCE DEST POLICY LOG LEVEL LIMIT: CONNLIMIT:
$FW net ACCEPT
Net all DROP info
All all DROP info
>From the doc, is it supposed that rules file first then policy file?
"For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied."
From: Paul Gear [mailto:paul@...]
Sent: Tuesday, July 17, 2012 5:06 PM
Subject: Re: [Shorewall-users] Policies for one interface
On 18/07/12 01:52, Ruiyuan Jiang wrote:
> I am new to shorewall and I am trying to setup shorewall (v18.104.22.168) on a Redhat host to protect itself. As a test, I would setup a policy to allow corporate hosts to access the Redhat through ssh, not from the rest. From the host, it can initiate all the traffic out.
> I modified hosts, zones and rules files in /etc/shorewall:
> After I started shorewall, I noticed that the policy is "DROP" not "ACCEPT" from corp to fw. Why? Thanks.
> [root@... shorewall]# shorewall show policies
> Shorewall 22.214.171.124 Policies at dmz1.corp.com - Tue Jul 17 11:47:54 EDT 2012
> fw => net ACCEPT using chain fw2net
> fw => corp DROP using chain fw2corp
> net => fw DROP using chain net2fw
> net => corp DROP using chain net2corp
> corp => fw DROP using chain corp2fw
> corp => net DROP using chain corp2net
> [root@... shorewall]#
Shorewall won't start without a policy covering each interface
combination, so you must also have something relevant in the policies
file - what is it?
I think you may be misunderstanding the policies and rules distinction.
It might be worth reviewing the information about them in
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
Shorewall-users mailing list
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.