Hi Tom, That makes perfectly sense.
I could only find this documentation <http://shorewall.net/4.6/Actions.html>. Is there a different documentation for Shorwall6 or is the documentation shared? If it's shared it might make sense to mention the different defaults. Sven On Mon, Apr 4, 2016 at 4:40 PM, Tom Eastep <[email protected]> wrote: > On 04/03/2016 11:46 AM, Sven Kirmess wrote: > > There is inconsistent default behavior between Shorewall 4.6.13.4 and > > Shorewall6 4.6.13.4. Both have > > > > DROP_DEFAULT=Drop > > > > in their config file but Shorewall drops auth packets and Shorewall6 > > rejects them. > > > > According to the documentation <http://shorewall.net/4.6/Actions.html>, > > I think, Shorewall is correct. > > > > > > firewall# grep DROP_DEFAULT /etc/shorewall*/shorewall*.conf > > /etc/shorewall/shorewall.conf:DROP_DEFAULT=Drop > > /etc/shorewall6/shorewall6.conf:DROP_DEFAULT=Drop > > firewall# shorewall show | grep 113 > > firewall# shorewall6 show | grep 113 > > 0 0 reject tcp * * ::/0 > > ::/0 tcp dpt:113 /* Auth */ > > 0 0 reject tcp * * ::/0 > > ::/0 tcp dpt:113 /* Auth */ > > firewall# > > > > > > firewall# grep DROP_DEFAULT /etc/shorewall*/shorewall*.conf > > /etc/shorewall/shorewall.conf:DROP_DEFAULT="Drop(-,REJECT)" > > /etc/shorewall6/shorewall6.conf:DROP_DEFAULT="Drop(-,REJECT)" > > firewall# shorewall show | grep 113 > > 0 0 reject tcp -- * * 0.0.0.0/0 > > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > > tcp dpt:113 /* Auth */ > > firewall# shorewall6 show | grep 113 > > 0 0 reject tcp * * ::/0 > > ::/0 tcp dpt:113 /* Auth */ > > 0 0 reject tcp * * ::/0 > > ::/0 tcp dpt:113 /* Auth */ > > firewall# > > Yes -- they are different and will stay that way - changing default > behavior tends to break existing configurations. If you don't want auth > rejected in IPv6, then set DROP_DEFAULT="Drop(-,--). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-devel > >
------------------------------------------------------------------------------
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
