[Shorewall-users] Policy Rules not working as expected

Paul Gear paulgear@bigfoot.com
Thu, 25 Apr 2002 19:48:24 +1000


nowak@ebi-service.de wrote:

> ...
> And my policy file looks like this:
> ...
> all             all             REJECT          info
> ....
> The strange thing is that when I start shorewall this message is generated:
>
> Processing /etc/shorewall/policy...
>    Policy REJECT for fw to net.
>    Policy DROP for net to fw.
>    Policy DROP for net to dinslaken.
>    Policy REJECT for dinslaken to fw.
>    Policy REJECT for dinslaken to net.
>    Policy REJECT for moers to net.
>    Policy REJECT for dortmund to net.
>    Policy REJECT for pdv to net.
>    Policy REJECT for token to net.
>
> Why is the Policy REJECT ??? and why is it logged ?

The answer to this is in *big red letters* in the shorewall documentation:

WARNING:

The firewall script processes  the /etc/shorewall/policy file from top to bottom
and uses the first applicable policy that it finds. For example, in the
following policy file, the policy for (loc, loc) connections would be ACCEPT as
specified in the first entry even though the third entry in the file
specifies REJECT.

So your answer is: Because of the all -> all rule.  Put it *below* the other
policies and it should work.

Paul
http://paulgear.webhop.net