> And here's one that allows adding blackhole routes via
> /etc/shorewall/routes. Just specify 'blackhole' in the GATEWAY column
> and leave the DEVICE column empty.
>
That does it, though I have a couple of recommendations:
I am a bit confused as to the functions of "routes" and "rtroutes" - it
seems to me that most, if not all, of the functionality can be
implemented by using just one file ("rtroutes" seems to have more
options, though with "routes", it looks as though things are more
straight-forward there).
I think it is a good idea to be able to define blackhole routes for the
"main" table (in other words, the default "provider") by using "routes"
(haven't tried that though!). In such scenarios, this should, in theory,
supersede the NULL_ROUTE_RFC1918 config option and gives me more
flexibility on what should be defined as a "blackhole" route. Why?
Because on one of my machines (an embedded device which is *very*
constrained, resource-wise) the main interface often goes up and down
and in such cases, the routes I have defined there simply "disappear" as
soon as the device goes down, which means that I cannot connect to it
from the internal network simply because the blackhole routes are not
tied up to a specific interface and stay "on" regardless of the state of
any network device.
In such case, I have to fiddle with my "postcompile" to remove the
10.0.0.0/8 blackhole route which is defined/included in the "firewall"
script as soon as I turn that NULL_ROUTE_RFC1918 config option on. If I
have more fine-grained control of the blackhole routes - either via
"rtroutes" or "routes" (again, I am a bit mystified as to what is the
difference between the two), that won't be a problem for me because I'll
just disable NULL_ROUTE_RFC1918 and define my own blackhole routes the
way I want it without much fuss.
> If the copy patch works okay, I'll include it in 4.5.14. The attached
> one will not be released until 4.5.15 Beta 1.
>
That's fair enough, though the patch looks pretty good to me and does
its job.
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
