Tom Eastep wrote: > On May 31, 2013, at 5:40 PM, Dash Four <[email protected]> wrote: > > >> Tom Eastep wrote: >> >>> 8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones. >>> A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that >>> rules and policies to/from a 'local' zone may only be to/from the >>> firewall zone and vserver zones. >>> >>> >> When I have something like: >> >> zones >> ~~~~~ >> local local >> >> interfaces >> ~~~~~~~~~~ >> local eth1 >> - lo ignore >> >> policy >> ~~~~~~ >> local $FW DROP >> $FW local DROP >> all+ all+ DROP >> >> >> shorewall generates: >> >> -A INPUT -i lo -j ACCEPT >> [...] >> -A OUTPUT -o eth1 -j ACCEPT >> [...] >> -A OUTPUT -o lo -j fw2fw >> >> which is wrong. The "-o eth1" rule above should be a jump to "fw2local" >> > > I'm not reproducing that -- if I change my $FW->local policy to DROP, the net > change is: > > -A fw-loc -m conntrack --ctstate RELATED -j +fw-loc > -A fw-loc -j ACCEPT > -A fw-local -m conntrack --ctstate RELATED -j +fw-local > --A fw-local -j ACCEPT > +-A fw-local -j Drop > +-A fw-local -j DROP > -A fw-local1 -m conntrack --ctstate RELATED -j +fw-local1 > -A fw-local1 -j ACCEPT > -A fw-loop1 -m conntrack --ctstate RELATED -j +fw-loop1 > Well, I am still getting this.
>> and the last rule should be "-o lo -j ACCEPT". >> >> > > > No -- all+ all+ DROP means that the fw->fw policy is DROP. That is probably > enforced in the fw2fw chain. > I have asked shorewall to ignore "lo" - doesn't that mean shorewall should *not* enforce anything for that interface (and let all the traffic through that interface "pass")? In addition, I am getting two separate sets of warnings during startup: rules ~~~~~ SECTION RELATED # MUST be last as *_DISPOSITION does not accept custom actions IFLOG(-,log1,-,drop,DROP) all all gives me: WARNING: The rule(s) generated by this entry are unreachable and have been discarded /etc/shorewall/action.ILOG (line 38) from /etc/shorewall/action.IFLOG (line 31) from /etc/shorewall/rules (line 106) [...ad nauseum ...] then... WARNING: The SOURCE zone is off-firewall and the DEST zone is 'loopback' /etc/shorewall/action.IFLOG (line 29) from /etc/shorewall/tunnels (line EOF) WARNING: The SOURCE zone is off-firewall and the DEST zone is 'loopback' /etc/shorewall/action.IFLOG (line 31) from /etc/shorewall/tunnels (line EOF) [...again, ad nauseum ...] My /etc/shorewall/tunnels is empty. Also, despite my best efforts, the xt_CT helper messages have *not* gone away, even though I've set net.netfilter_nf_conntrack_helper to 0 in my sysctl.conf (I even tried setting this as a kernel parameter). ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
