Shorewall and CONTINUE policy

Discussion in 'Linux Networking' started by chris-usenet, Sep 26, 2005.

  1. chris-usenet

    chris-usenet Guest

    Shorewall on debian/sarge, versions 2.2.3 and 2.4.1.

    I've got a general purpose DMZ network on an extra interface, with 15 IP
    addresses (.1 through .15). I want to have specific zones for specific
    groups of machines, with a general set of fall-back rules for the DMZ as
    a whole.

    My zones are thus (syntactic sugar equating to actual entries in the
    zones and hosts files):

    z_tst eth2:10.1.30.1-10.1.30.4 # Subset of DMZ .1 - .4
    dmz eth2 # DMZ .1 - .15
    loc eth1 # Local network
    net eth0 # Everyone "out there"

    and the policies are thus:

    z_tst all CONTINUE # Use policy/rules for "dmz"
    all z_tst CONTINUE # Use policy/rules for "dmz"

    dmz all REJECT
    all dmz REJECT

    Here are some sample rules (for the purposes of this post):

    ACCEPT all z_tst tcp 22

    ACCEPT dmz loc tcp 53
    ACCEPT dmz loc udp 53
    ACCEPT all dmz icmp echo-request

    In this situation, I thought that the CONTINUE policy for z_tst would
    mean that the dmz rules would also be applied, so I wouldn't need to
    repeat them for the z_tst subsection of the dmz network.

    However, what I get is that the z_tst rule for tcp/22 works, but that
    the icmp echo-request (ping) doesn't work. If I copy that last rule so
    that it explicitly states z_tst instead of dmz, then ping also works:

    ACCEPT all z_tst icmp echo-request

    Have I really misunderstood CONTINUE, or is there something else not
    quite right here?

    Many thanks,
    Chris
     
    chris-usenet, Sep 26, 2005
    #1
    1. Advertisements

  2. chris-usenet

    Bit Twister Guest

    Bit Twister, Sep 26, 2005
    #2
    1. Advertisements

  3. chris-usenet

    chris-usenet Guest

    Have I really misunderstood CONTINUE, or is there something else not
    It's where I started, long before I posted. Oh, and for the record, yes
    I've also googled.

    Chris
     
    chris-usenet, Sep 26, 2005
    #3
  4. chris-usenet

    Bit Twister Guest

    Bit Twister, Sep 26, 2005
    #4
  5. chris-usenet

    chris-usenet Guest

    Yes, and assuming I understand what the author intends by those two
    statements, I figure there may be a fault with the implementation of
    CONTINUE. However, I don't like starting with the premise that there's
    a fault, which is why I posted my question and example snippets of
    configuration files.

    Chris
     
    chris-usenet, Sep 27, 2005
    #5
  6. chris-usenet

    chris-usenet Guest

    For closure, I can report that the problem was staring me in the face.
    The documentation is correct, and it was an omission in my hosts file.
    Unfortunately these zone definitions were what I'd intended, not what
    I'd actually achieved, as I'd omitted the definition for net in this
    hosts file segment:

    #ZONE HOST(S) OPTIONS
    #
    loc eth0:10.0.0.0/12
    net eth0:0.0.0.0/0

    Chris
     
    chris-usenet, Oct 3, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.