Hi,

On a host with 1 physical interface (internet) and several internal bridges
where LXC VMs (veth) are attached to different subnets. Everything runs
fine, nothing to complain about.

My policy file looks like this :

$FW { dest=all policy=ACCEPT }
dmz1,dmz2 { dest=dmz1,dmz2+ policy=REJECT loglevel=info }
all { dest=all policy=DROP loglevel=info }

In the rules file, I have the following line :

?SECTION ALL
Ping(ACCEPT) { source=all dest=all rate=100/sec }

And then the remaining sections and all the needed rules under "?SECTION
NEW"

With this setup here's what happens :

Ping from FW to any dmz zone (dmz1 or dmz2) => Works as expected
Ping frow any VM in any dmz zone (dmz1 or dmz2) to FW => Works as expected
Ping from any VM in any dmz zone to any other VM in any other dmz zone =>
Works as expected

However :
Ping from any VM in any dmz zone to any other VM in the *SAME* dmz zone =>
Destination host unreachable!

It triggers the Shorewall interzone filtering
"Shorewall:dmz1-dmz1:REJECT:..."

"shorewall show" reflects the "Ping(ACCEPT)" rule is set in every possible
zone-to-zone combination EXCEPT the "samezone-to-samezone" chain (ie:
dmz1-to-dmz1). Shouldn't this chain contain the rule when "source/dest=all"
AND zone-to-zone policy is NOT ACCEPT?

What's your view on that?