Re: [Shorewall-devel] [PATCH] Allow address variable to work with lo interface

Tue, 20 Mar 2018 08:34:21 -0700 

On 03/20/2018 05:28 AM, Matt Darfeuille wrote:
> Hi Tom,
> 
> On 3/19/2018 5:39 PM, Tom Eastep wrote:
>> Hi Matt,
>>
>> - This patch only works for IPv4
>> - 'lo' will never be P-T-P
>>
> 
> I have localy committed a revised version of that patch.
> 
> Before going even further I just want to be sure I understand correctly?:
> 
> I have multiple network interfaces on my shorewall box:
> 
> enp1s0   dhcp interface   net zone
> enp2.210   172.17.210.254   wired zone
> enp2s0.212   172.17.212.254   test zone
> 
> I use "ACCEPT wired $FW:&enp2s0.210 ..." to insure that traffic will
> only be accepted to the first address of the wired interface in the
> firewall zone.
> 
>> Is there really a use case for &lo?
>>
> 
> Along with fixing the error the only use case I can think of is:
> 
> /etc/shorewall/zones:
> 
> local loopback
> 
> /etc/shorewall/interfaces:
> 
> local lo
> 
> /etc/shorewall/rules:
> 
> ACCEPT local $FW:&lo
> 

If you reject everything else, you will have a problem. The destination
IP address can be *any* IP address that is local to the system (as can
be the source IP).

> 
> The Shorewall version in the header of some files are still at 5.1 or
> lower ('# Shorewall 5.1 -- ..').
> I was planning to update those unless it's already done or can you push
> your master branch?
> 

I have not changed those, but I have fixed the &lo bug by making it
always expand to 127.0.0.1 for IPv4 and ::1 for IPv6.

I've pushed my master branch to SF.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to