Shorewall and CONTINUE policy

  chris-usenet

    chris-usenet Guest

    Shorewall on debian/sarge, versions 2.2.3 and 2.4.1.

    I've got a general purpose DMZ network on an extra interface, with 15 IP
    addresses (.1 through .15). I want to have specific zones for specific
    groups of machines, with a general set of fall-back rules for the DMZ as
    a whole.

    My zones are thus (syntactic sugar equating to actual entries in the
    zones and hosts files):

    z_tst eth2: # Subset of DMZ .1 - .4
    dmz eth2 # DMZ .1 - .15
    loc eth1 # Local network
    net eth0 # Everyone "out there"

    and the policies are thus:

    z_tst all CONTINUE # Use policy/rules for "dmz"
    all z_tst CONTINUE # Use policy/rules for "dmz"

    dmz all REJECT
    all dmz REJECT

    Here are some sample rules (for the purposes of this post):

    ACCEPT all z_tst tcp 22

    ACCEPT dmz loc tcp 53
    ACCEPT dmz loc udp 53
    ACCEPT all dmz icmp echo-request

    In this situation, I thought that the CONTINUE policy for z_tst would
    mean that the dmz rules would also be applied, so I wouldn't need to
    repeat them for the z_tst subsection of the dmz network.

    However, what I get is that the z_tst rule for tcp/22 works, but that
    the icmp echo-request (ping) doesn't work. If I copy that last rule so
    that it explicitly states z_tst instead of dmz, then ping also works:

    ACCEPT all z_tst icmp echo-request

    Have I really misunderstood CONTINUE, or is there something else not
    quite right here?

    Many thanks,
    chris-usenet, Sep 26, 2005
  chris-usenet

    Bit Twister

    Bit Twister, Sep 26, 2005
  chris-usenet

    chris-usenet Guest

    Have I really misunderstood CONTINUE, or is there something else not
    It's where I started, long before I posted. Oh, and for the record, yes
    I've also googled.

    chris-usenet, Sep 26, 2005
  chris-usenet

    Bit Twister

    Bit Twister, Sep 26, 2005
  chris-usenet

    chris-usenet Guest

    Yes, and assuming I understand what the author intends by those two
    statements, I figure there may be a fault with the implementation of
    CONTINUE. However, I don't like starting with the premise that there's
    a fault, which is why I posted my question and example snippets of
    configuration files.

    chris-usenet, Sep 27, 2005
  chris-usenet

    chris-usenet Guest

    For closure, I can report that the problem was staring me in the face.
    The documentation is correct, and it was an omission in my hosts file.
    Unfortunately these zone definitions were what I'd intended, not what
    I'd actually achieved, as I'd omitted the definition for net in this
    hosts file segment:

    loc eth0:
    net eth0:

    chris-usenet, Oct 3, 2005
