[Shorewall-users] Policy Rules not working as expected
Thu, 25 Apr 2002 19:48:24 +1000
> And my policy file looks like this:
> all all REJECT info
> The strange thing is that when I start shorewall this message is generated:
> Processing /etc/shorewall/policy...
> Policy REJECT for fw to net.
> Policy DROP for net to fw.
> Policy DROP for net to dinslaken.
> Policy REJECT for dinslaken to fw.
> Policy REJECT for dinslaken to net.
> Policy REJECT for moers to net.
> Policy REJECT for dortmund to net.
> Policy REJECT for pdv to net.
> Policy REJECT for token to net.
> Why is the Policy REJECT ??? and why is it logged ?
The answer to this is in *big red letters* in the shorewall documentation:
The firewall script processes the /etc/shorewall/policy file from top to bottom
and uses the first applicable policy that it finds. For example, in the
following policy file, the policy for (loc, loc) connections would be ACCEPT as
specified in the first entry even though the third entry in the file
So your answer is: Because of the all -> all rule. Put it *below* the other
policies and it should work.