From: Tom E. <te...@sh...> - 2002-05-31 13:29:17
|
I've updated http://www.shorewall.net/myfiles.htm to include a whitelist. This working example shows that it may be necessary to add additional policies to make the whitelist work the way that you expect it to - it is not sufficient to simply add a "whitelist->all ACCEPT" policy. The Policy file at the above URL includes comments to explain why each of the additional policies are needed. Alain: I suspect that this is what you are seeing with your customer's nested zone setup. I found that I initially had jumps to the "all2all" chain that I was able to eliminate by adding these additional policies. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ te...@sh... |
From: Tom E. <te...@sh...> - 2002-05-31 14:22:02
|
On Fri, 31 May 2002, Tom Eastep wrote: > I've updated http://www.shorewall.net/myfiles.htm to include a whitelist. > This working example shows that it may be necessary to add additional > policies to make the whitelist work the way that you expect it to - it is > not sufficient to simply add a "whitelist->all ACCEPT" policy. > > The Policy file at the above URL includes comments to explain why each of > the additional policies are needed. > > Alain: I suspect that this is what you are seeing with your customer's > nested zone setup. I found that I initially had jumps to the "all2all" > chain that I was able to eliminate by adding these additional policies. > In 1.3.1 (which I will try to release over the weekend), this will become a lot easier. If you have a whitelist zone "wl", you can just put the following in /etc/shorewall/policy: wl all ACCEPT all wl CONTINUE These rules are accepted by earlier versions of Shorewall but don't do the correct thing; the 'all2wl' chain is optimized away and replaced with the 'all2all' chain (which of course doesn't do what you want). For those of you who would like to give this a spin now, you need two files: ftp://ftp.shorewall.net/pub/shorewall/testing/firewall ftp://ftp.shorewall.net/pub/shorewall/testing/rfc1918 The 'rfc1918' file must be placed in /etc/shorewall. Follow the instructions at http://www.shorewall.net/errata.htm for installing the 'firewall' file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ te...@sh... |