I'm not sure I correclty understand how nested zones work in Shorewall.
My zones file includes these 2 zones:
My policy file is as shown below regarding the ibs child zone alone ("caib ibs CONTINUE" doesn't make much sense, does it?):
# grep ibs policy
lan ibs CONTINUE info
wan ibs CONTINUE info
dmz ibs CONTINUE info
ibs all CONTINUE info
caib ibs CONTINUE info
road ibs CONTINUE info
vpn1 ibs CONTINUE info
vpn2 ibs CONTINUE info
ovpn ibs CONTINUE info
$FW ibs CONTINUE info
As I understand it, client connection requests between eg. the "lan" zone and the "ibs" zone should first be processed under the "lan/caib" rules and if there is no match then the connection request should be treated under "lan/ibs" rules.
Let's say I have allowed all traffic from lan:10.215.144.48 to caib:10.215.137.241 (ignore routing table) but I haven't written any specific lan to ibs rules.
Shouldn't a ping from lan:10.215.144.48 to ibs:10.215.137.241 be allowed?
I'm attaching a compressed shorewall dump file while trying to ping 10.215.137.241 from 10.215.144.48.
I'm getting the following in the log:
lan-ibs:CONTINUE:IN=enp5s3 OUT=enp5s0 SRC=10.215.144.48 DST=10.215.137.241 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9918 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=96
FORWARD:REJECT:IN=enp5s3 OUT=enp5s0 SRC=10.215.144.48 DST=10.215.137.241 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9918 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=96
Thanks for explaining how nested zones work because I'm sure I got it wrong.