On Wed, 2008-07-02 at 07:05 -0700, Tom Eastep wrote: > > The issue is not trying to figure out what the user wants but rather > what should happen. We can't leave the user's default route(s) in the > main table; about all we can do is to try to move it (them) to the > default table, I guess.
If they choose to use the ROUTING_NG option, yes. I'd posit that selecting ROUTING_NG and finding default routes in the main table is in fact a configuration error! ROUTING_NG requires that default route plumbing by interface configuration tools be disabled, yes? None of that covers the case where the default routes appear in the main table after shorewall has done it's business of course. > We generally *require* the user to explicitly enable new functionality > (no gain, no pain). Indeed. > One thing that bothers me about this whole thing is that it trades one > sharp edge for another. In the current scheme, applications that add > non-default routes to the main table are a problem; although it is the > application itself that doesn't work, not the router as a whole. True. > In the > ROUTING_NG configuration, having a default route unexpectedly added to > the main table is a disaster; it can isolate the firewall/router > entirely. Well, it wouldn't isolate it off of any local networks, but yes, it could certainly foul up the provider routing that's supposed to happen. > I'm not sure that I want to give users that much rope to hang > themselves. Even with a shorewall.conf option and a blurb about disabling default route plumbing in their interface configuration mechanism, and a check for "default" in the main table (yielding a complete failure to install the configuration) at rule installation time? Heh. It's almost like one needs to be able to apply filters to routing tables, preventing matching routes from being entered into them. Or a routing management interface such as we have discussed here before. b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
