On 07/04/2017 02:03 AM, Vieri Di Paola via Shorewall-users wrote: > ________________________________ > From: Tom Eastep <[email protected]> >> >>> Checking /etc/shorewall/providers... ERROR: Providers interfaces may >>> not specify 'routefilter' when USE_DEFAULT_RT=Yes >> >> That error is expected as 'routefilter' causes Martians when > >> USE_DEFAULT_RT=Yes. Use 'rpfilter' instead. > > > OK, so I guess "shorewall start" should also throw that error and abort. If > not, continue, but warn about it. > > In "interfaces" I'm now using options such as: > > net4 enp7s0f0 > optional,tcpflags,nosmurfs,logmartians,proxyarp=0,arp_ignore=1,sourceroute=0,rpfilter > > However, if I restart shorewall and dump afterwards I get this result: > > # grep /rp_filter swdump > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp10s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp5s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp6s0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f0/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f1/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f2/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp7s0f3/rp_filter = 0 > /proc/sys/net/ipv4/conf/enp8s5/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > > # shorewall show capabilities | grep RPFilter > RPFilter Match (RPFILTER_MATCH): Available > > # shorewall version > 5.1.4.4 > > Why isn't /proc/sys/net/ipv4/conf/enp7s0f0/rp_filter = 1? > > Am I required to set this with sysctl? > > Also, I'm currently checking and enabling /proc/sys/net/ipv4/ip_forward via > sysctl. Is there a reason why shorewall doesn't enable it directly when > required? > If shorewall can't do that directly then maybe "shorewall check" could check > the value of ip_forward, and warn the user to enable it if required. >
You don't want to set the /proc rp_filter flag!!! The 'rpfilter' option using a netfilter feature to perform reverse path filtering. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
