[Shorewall-users] Policy Rules not working as expected

Patrick Benson benson@chello.se
Thu, 25 Apr 2002 15:37:35 +0200


Tom Eastep wrote:

> Shorewall doesn't care which interface is which -- there are only two
> names that Shorewall attaches any meaning to:
> 
> a) The contents of the FW variable (normally 'fw') -- that is the zone of
> the firewall itself.
> b) 'multi' which is the pseudo-zone that Shorewall creates to be able to
> report on the 'multi2fw' chain.
> 
> The reason that my documentation and the samples use eth0 for the external
> interface is because many of them are taken from my setup which is
> configured that way. No other reason.
> 
> So if you want to call your internet zone 'foo' and your local zone 'bar',
> go for it :-)

Sure, Tom, that's quite understandable....   :)  ...but it's not the
point I'm trying to offer.

The problem is that he may *think* he has it configured one way but it
actually is configured totally the opposite. He mentioned, in the
beginning, that eth0 is connected to the net and eth1 is used for his
subnets, but his configuration was actually switched the other way
round. What happens if he starts modifying the policies and rules and
thinks he's doing one thing but will be doing something quite the
opposite?.. Security should be primarily about knowing exactly what one
is doing, not just being satisfied that it works ok for the moment..
 
-- 
Patrick Benson
Stockholm, Sweden