Shorewall and CONTINUE policy

Shorewall on debian/sarge, versions 2.2.3 and 2.4.1.

I've got a general purpose DMZ network on an extra interface, with 15 IP
addresses (.1 through .15). I want to have specific zones for specific
groups of machines, with a general set of fall-back rules for the DMZ as
a whole.

My zones are thus (syntactic sugar equating to actual entries in the
zones and hosts files):

z_tst eth2:10.1.30.1-10.1.30.4 # Subset of DMZ .1 - .4
dmz eth2 # DMZ .1 - .15
loc eth1 # Local network
net eth0 # Everyone "out there"

and the policies are thus:

z_tst all CONTINUE # Use policy/rules for "dmz"
all z_tst CONTINUE # Use policy/rules for "dmz"

dmz all REJECT
all dmz REJECT

Here are some sample rules (for the purposes of this post):

ACCEPT all z_tst tcp 22

ACCEPT dmz loc tcp 53
ACCEPT dmz loc udp 53
ACCEPT all dmz icmp echo-request

In this situation, I thought that the CONTINUE policy for z_tst would
mean that the dmz rules would also be applied, so I wouldn't need to
repeat them for the z_tst subsection of the dmz network.

However, what I get is that the z_tst rule for tcp/22 works, but that
the icmp echo-request (ping) doesn't work. If I copy that last rule so
that it explicitly states z_tst instead of dmz, then ping also works:

ACCEPT all z_tst icmp echo-request

Have I really misunderstood CONTINUE, or is there something else not
quite right here?

Many thanks,
Chris

On Mon, 26 Sep 2005 17:02:22 +0100, chris-usenet@roaima.co.uk wrote:
> Shorewall on debian/sarge, versions 2.2.3 and 2.4.1.
>
> Have I really misunderstood CONTINUE, or is there something else not
> quite right here?

You might want to check
http://www.shorewall.net/Documentation_Index.html

>> Have I really misunderstood CONTINUE, or is there something else not
>> quite right here?

Bit Twister <BitTwister@mouse-potato.com> wrote:
> You might want to check
> http://www.shorewall.net/Documentation_Index.html

It's where I started, long before I posted. Oh, and for the record, yes
I've also googled.

Chris

On Mon, 26 Sep 2005 21:41:10 +0100, chris-usenet@roaima.co.uk wrote:
>>> Have I really misunderstood CONTINUE, or is there something else not
>>> quite right here?
>
> Bit Twister <BitTwister@mouse-potato.com> wrote:
>> You might want to check
>> http://www.shorewall.net/Documentation_Index.html
>
> It's where I started, long before I posted.

Well http://www.shorewall.net/Documentation.htm#Policy has

CONTINUE

The connection is neither ACCEPTed, DROPped nor REJECTed.

and http://www.shorewall.net/Documentation.htm#Rules has

CONTINUE rules may cause the connection request to be
reprocessed using a different (source zone, destination zone)
pair.

Bit Twister <BitTwister@mouse-potato.com> wrote:
> CONTINUE rules may cause the connection request to be
> reprocessed using a different (source zone, destination zone)
> pair.

Yes, and assuming I understand what the author intends by those two
statements, I figure there may be a fault with the implementation of
CONTINUE. However, I don't like starting with the premise that there's
a fault, which is why I posted my question and example snippets of
configuration files.

Chris

chris-usenet@roaima.co.uk wrote:
> [regarding Shorewall and CONTINUE not working for me] I don't like
> starting with the premise that there's a fault, which is why I posted
> my question and example snippets of configuration files.

For closure, I can report that the problem was staring me in the face.
The documentation is correct, and it was an omission in my hosts file.

> My zones are thus (syntactic sugar equating to actual entries in the
> zones and hosts files):
> z_tst eth2:10.1.30.1-10.1.30.4 # Subset of DMZ .1 - .4
> dmz eth2 # DMZ .1 - .15
> loc eth1 # Local network
> net eth0 # Everyone "out there"

Unfortunately these zone definitions were what I'd intended, not what
I'd actually achieved, as I'd omitted the definition for net in this
hosts file segment:

#ZONE HOST(S) OPTIONS
#
loc eth0:10.0.0.0/12
net eth0:0.0.0.0/0

Chris