On 2/16/2014 4:42 AM, Dash Four wrote: > Simple question: If I want to prevent shorewall from spamming my chains > with multicast (224.0.0./4) and broadcast (255.255.255.255) rules > generation (I wish such packets to be DROPped which is the default > policy for all my chains), will the 2 patches I am attaching here do the > job and if so, are there any "side-effects"? > > I ran a quick diff between "old" and "new" and couldn't find anything > alarming, but thought to post on here just to be on the safe side. Thanks.
The effect of these patches is that when nets= is specified for an
interface, multicast and broadcast traffic to the interface specified in
the INTERFACE column won't be sent through the fw->zone chain. They will
end up being handled by the catchall rules at the bottom of the OUTPUT
chain.
Normally broadcast and multicast traffic doesn't flood the log because
the standard default actions for DROP and REJECT omit those packets from
logging (they silently DROP/REJECT them).
From action.Reject:
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
Broadcast(DROP,@1)
Note that the Broadcast action also applies to multicast.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
