On Sep 30, 2011, at 3:27 PM, Mr Dash Four wrote: > >>>> Same chains as today. >>>> >>>> >>> So, if I place 50 blacklist entries for tun0 and 1 for eth0, then in >>> order to get a packet through eth0 it has to traverse through 51 entries >>> in that same chain? "Square pegs in round holes" comes to mind... >>> Thanks, but no thanks! >>> >>> >> >> Why? It doing that now. >> > No, not really. It is only "doing that now" because blacklist entries > are entered for all interfaces - if/when that changes, I would be able > to enter blacklist entries for a specific interface. > > If you are going to lump up all blacklist entries regardless of which > interface they are entered for into a single chain (I presume that would > be the blacklst/blackout chain again as you already pointed out) and you > reference that chain from all interfaces/zones (as is the case now), > that means a single packet has to traverse through all entries in the > blacklst/blackout chain - including entries which have been entered for > a different interface - before it passes through and that is something I > am not very keen on doing, quite frankly...Unless I am missing something > obvious. >
Okay -- then let's do this: a) Add DropSmurfs and TCPFlags actions that do the same thing as the interface options 'nosmurfs' and 'TCPFlags' respectively. b) Simply put your blacklist entries in the ALL section of the rules file. This way, you can have dozens of blacklists and invoke them as appropriate. You would implement each blacklist as an action, so that CONTINUE would work like 'whitelist'. After all blacklist/whitelist processing, you could invoke DropSmurfs and/or TCPFlags if desired. We don't need a 'maclist' action since maclist processing can be trivially implemented in rules already. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
