On Tue, 2 Dec 2003, Tom Eastep wrote: > On Tue, 2 Dec 2003, Mike Noyes wrote: > > > On Tue, 2003-12-02 at 17:57, Joey Officer wrote: > > > At face value, and without (intending to) sounding like a moron, Shorewall > > > can block anything you tell it not to explicitly allow. Isn't that the > > > default way its currently being used? > > > > As announced today on the Shorewall User's list, I am no longer involved > in Shorewall support. > > Shorewall currently does no checking for spoofed output packets (and > probably won't in the future). >
By "output", I mean packets originating on the firewall itself. If the firewall system itself is rooted, then what that system's packet filter does in response is immaterial and any firewall designer who worries about that problem is an idiot. In terms of traffic passing through a Shorewall firewall, Shorewall itself has no concept of "input" and "output" or "inside" or "outside". So the Shorewall-generated ruleset applies exactly the same checks on all traffic being forwarded by the firewall system regardless of which direction you perceive the traffic as flowing (assuming that you apply options like 'routefilter' symetrically). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
