On 06/01/2013 06:45 AM, Dash Four wrote: > > Tom Eastep wrote: >> On May 31, 2013, at 5:40 PM, Dash Four <[email protected]> wrote: >> >> >>> Tom Eastep wrote: >>> >>>> 8) A new 'local' zone TYPE has been added to /etc/shorewall[6]/zones. >>>> A 'local' zone is similar to an 'ipv4' ('ipv6') zone, except that >>>> rules and policies to/from a 'local' zone may only be to/from the >>>> firewall zone and vserver zones. >>>> >>>> >>> When I have something like: >>> >>> zones >>> ~~~~~ >>> local local >>> >>> interfaces >>> ~~~~~~~~~~ >>> local eth1 >>> - lo ignore >>> >>> policy >>> ~~~~~~ >>> local $FW DROP >>> $FW local DROP >>> all+ all+ DROP >>> >>> >>> shorewall generates: >>> >>> -A INPUT -i lo -j ACCEPT >>> [...] >>> -A OUTPUT -o eth1 -j ACCEPT >>> [...] >>> -A OUTPUT -o lo -j fw2fw >>> >>> which is wrong. The "-o eth1" rule above should be a jump to "fw2local" >>> >> >> I'm not reproducing that -- if I change my $FW->local policy to DROP, the >> net change is: >> >> -A fw-loc -m conntrack --ctstate RELATED -j +fw-loc >> -A fw-loc -j ACCEPT >> -A fw-local -m conntrack --ctstate RELATED -j +fw-local >> --A fw-local -j ACCEPT >> +-A fw-local -j Drop >> +-A fw-local -j DROP >> -A fw-local1 -m conntrack --ctstate RELATED -j +fw-local1 >> -A fw-local1 -j ACCEPT >> -A fw-loop1 -m conntrack --ctstate RELATED -j +fw-loop1 >> > Well, I am still getting this.
Then please forward a configuration (with capabilities file) that shows the problem. Thanks. > >>> and the last rule should be "-o lo -j ACCEPT". >>> >>> >> >> >> No -- all+ all+ DROP means that the fw->fw policy is DROP. That is probably >> enforced in the fw2fw chain. >> > I have asked shorewall to ignore "lo" - doesn't that mean shorewall > should *not* enforce anything for that interface (and let all the > traffic through that interface "pass")? > No -- from 'man shorewall-interfaces': ignore[=1] When specified, causes the generated script to ignore up/down events from Shorewall-init for this device. Additionally, the option exempts the interface from hairpin filtering. When '=1' is omitted, the ZONE column must contain '-' and ignore must be the only OPTION. Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which only causes the generated script to ignore up/down events from Shorewall-init; hairpin filtering is still applied. In this case, the above restrictions on the ZONE and OPTIONS columns are lifted. > In addition, I am getting two separate sets of warnings during startup: > > rules > ~~~~~ > SECTION RELATED > # MUST be last as *_DISPOSITION does not accept custom actions > IFLOG(-,log1,-,drop,DROP) all all > > gives me: > > WARNING: The rule(s) generated by this entry are unreachable and have > been discarded /etc/shorewall/action.ILOG (line 38) > from /etc/shorewall/action.IFLOG (line 31) > from /etc/shorewall/rules (line 106) > [...ad nauseum ...] > > then... > > WARNING: The SOURCE zone is off-firewall and the DEST zone is 'loopback' > /etc/shorewall/action.IFLOG (line 29) > from /etc/shorewall/tunnels (line EOF) > WARNING: The SOURCE zone is off-firewall and the DEST zone is 'loopback' > /etc/shorewall/action.IFLOG (line 31) > from /etc/shorewall/tunnels (line EOF) > [...again, ad nauseum ...] > > My /etc/shorewall/tunnels is empty. I'll make no progress on that one without seeing the action.IFLOG definition. > > Also, despite my best efforts, the xt_CT helper messages have *not* gone > away, even though I've set net.netfilter_nf_conntrack_helper to 0 in my > sysctl.conf (I even tried setting this as a kernel parameter). Do you have any 'notrack' rules? If not, you could simply omit xt_CT from your kernel configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
