On 04/03/2016 11:46 AM, Sven Kirmess wrote: > There is inconsistent default behavior between Shorewall 4.6.13.4 and > Shorewall6 4.6.13.4. Both have > > DROP_DEFAULT=Drop > > in their config file but Shorewall drops auth packets and Shorewall6 > rejects them. > > According to the documentation <http://shorewall.net/4.6/Actions.html>, > I think, Shorewall is correct. > > > firewall# grep DROP_DEFAULT /etc/shorewall*/shorewall*.conf > /etc/shorewall/shorewall.conf:DROP_DEFAULT=Drop > /etc/shorewall6/shorewall6.conf:DROP_DEFAULT=Drop > firewall# shorewall show | grep 113 > firewall# shorewall6 show | grep 113 > 0 0 reject tcp * * ::/0 > ::/0 tcp dpt:113 /* Auth */ > 0 0 reject tcp * * ::/0 > ::/0 tcp dpt:113 /* Auth */ > firewall# > > > firewall# grep DROP_DEFAULT /etc/shorewall*/shorewall*.conf > /etc/shorewall/shorewall.conf:DROP_DEFAULT="Drop(-,REJECT)" > /etc/shorewall6/shorewall6.conf:DROP_DEFAULT="Drop(-,REJECT)" > firewall# shorewall show | grep 113 > 0 0 reject tcp -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > tcp dpt:113 /* Auth */ > firewall# shorewall6 show | grep 113 > 0 0 reject tcp * * ::/0 > ::/0 tcp dpt:113 /* Auth */ > 0 0 reject tcp * * ::/0 > ::/0 tcp dpt:113 /* Auth */ > firewall#
Yes -- they are different and will stay that way - changing default behavior tends to break existing configurations. If you don't want auth rejected in IPv6, then set DROP_DEFAULT="Drop(-,--). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
