> You need to re-apply the patches. Those went in after I had already
> uploaded RC1.
>
The RC1 announcement wasn't posted on the list either. I don't know
whether it is late in the cycle for this release or not, but the
following problem, I think, merits some attention:
1. "providers" file and treatment of (custom-specified) blackhole rules:
They are not captured either by the DUPLICATE or COPY columns, so they
must always be copied (somehow manually?) regardless.
Currently I can't see a way of adding blackhole routes (there isn't
anything in either "rtrules" or "routes"), which means that if I have a
custom-set blackhole routes (via the Linux network scripts or via
"start"/"started"), they will not be copied over to the providers
table(s) and there is no way to add them in either of these two files.
Also worth reporting:
2. "firewall" script - ${VARDIR}/<iface>.status optimisation:
providers
~~~~~~~~~
internal 7 - - eth2 10.1.7.13
produces:
[...]
find_interface_addresses eth2 | while read address; do
qt $IP -4 rule del from $address
run_ip rule add from $address pref 20000 table 7
echo "qt $IP -4 rule del from $address" >>
${VARDIR}/undo_internal_routing
rulenum=$(($rulenum + 1))
done
echo 0 > ${VARDIR}/eth2.status
echo 0 > ${VARDIR}/eth2.status
progress_message "Provider internal (2) Started"
else
echo 1 > ${VARDIR}/eth2.status
fatal_error "Interface eth2 is not usable -- Provider internal
(2) Cannot be Started"
fi
} # End of start_provider_internal();
[...]
Note the double "echo 0 > ..." statement above.
3. The definition of DUPLICATE and COPY columns in "providers" is
different in http://www.shorewall.net/MultiISP.html and
http://www.shorewall.net/manpages/shorewall-providers.html. In
MultiISP.html we have:
"...When you specify an existing table in the DUPLICATE column,
Shorewall copies all routes through the interface specified in the
INTERFACE column plus the interfaces listed in this column. Normally,
you will list all interfaces on your firewall in this column except
those Internet interfaces specified in the INTERFACE column of entries
in this file."
So, according to this, if I have the above "providers" configuration
(see 2 above), save for setting "main" in the DUPLICATE column, then
only routes defined in the main table for "eth2" should be copied to the
"internal" table. In reality, every subnet defined in the main table,
regardless of which interface it is defined for, is copied. The
providers man page describes the correct behaviour.
In addition, if I specify "eth2" in the COPY column (continue to have
"main" in DUPLICATE), then the following code is produced:
[...]
case $(find_device $route) in
eth2|eth2)
case $net in
255.255.255.255*)
[...]
"eth2|eth2)" is the equivalent of "eth2)", so this should be optimised.
4. Manpages -> rtrules is a dead link.
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
