Re: [Shorewall-devel] [Shorewall-users] Shorewall 4.5.17

Fri, 31 May 2013 18:39:11 -0700 

On May 31, 2013, at 5:40 PM, Dash Four <[email protected]> wrote:

> 
> Tom Eastep wrote:
>> 8)  A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones.
>>    A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that
>>    rules and policies to/from a 'local' zone may only be to/from the
>>    firewall zone and vserver zones.
>> 
> When I have something like:
> 
> zones
> ~~~~~
> local local
> 
> interfaces
> ~~~~~~~~~~
> local eth1
> - lo ignore
> 
> policy
> ~~~~~~
> local $FW DROP
> $FW local DROP
> all+ all+ DROP
> 
> 
> shorewall generates:
> 
> -A INPUT -i lo -j ACCEPT
> [...]
> -A OUTPUT -o eth1 -j ACCEPT
> [...]
> -A OUTPUT -o lo -j fw2fw
> 
> which is wrong. The "-o eth1" rule above should be a jump to "fw2local"

I'm not reproducing that -- if I change my $FW->local policy to DROP, the net 
change is:

 -A fw-loc -m conntrack --ctstate RELATED -j +fw-loc
 -A fw-loc -j ACCEPT
 -A fw-local -m conntrack --ctstate RELATED -j +fw-local
--A fw-local -j ACCEPT
+-A fw-local -j Drop
+-A fw-local -j DROP
 -A fw-local1 -m conntrack --ctstate RELATED -j +fw-local1
 -A fw-local1 -j ACCEPT
 -A fw-loop1 -m conntrack --ctstate RELATED -j +fw-loop1

> and the last rule should be "-o lo -j ACCEPT".
> 


No -- all+ all+ DROP means that the fw->fw policy is DROP. That is probably 
enforced in the fw2fw chain.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to