Re: [Shorewall-users] Shorewall 4.4.13 Beta 6

Tom Eastep Sat, 18 Sep 2010 09:03:20 -0700

On 09/17/2010 08:22 PM, Tom Eastep wrote:
> On 9/17/10 4:31 PM, Tom Eastep wrote:
> 
>>
>> COM_IF_fwd is similar.
>>
>> I'm not sure whether or not I'll be able to do anything about this in
>> the short term.
>>
> 
> This is a natural consequence of making blacklisting a zone-related
> attribute rather than an interface-related attribute. Interface-oriented
> filtering comes first; so if more than one zone shares an
> Internet-facing interface then interface-related filtering can occur
> prior to zone-related filtering.


I have added logic to promote jumps to 'blacklst' ahead of
interface-specific filtering rules. See the attached output.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Shorewall 4.4.13-Beta6 Chains COM_IF_in COM_IF_fwd at gateway - Sat Sep 18 
08:56:06 PDT 2010

Counters reset Sat Sep 18 08:29:27 PDT 2010

Chain COM_IF_in (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
  614 41412 blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW,UNTRACKED 
  608 40808 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW,UNTRACKED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        udp dpts:67:68 
    0     0 smc-dmz    all  --  *      *       10.1.10.0/24         
70.90.191.124/31    
    0     0 smc-fw     all  --  *      *       10.1.10.0/24         0.0.0.0/0   
        
  573 38762 net-dmz    all  --  *      *       0.0.0.0/0            
70.90.191.124/31    
   55  2998 net-fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        

Chain COM_IF_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW,UNTRACKED 
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW,UNTRACKED 
    0     0 ACCEPT     all  --  *      eth4    10.1.10.0/24         0.0.0.0/0   
        
    0     0 net-loc    all  --  *      eth4    0.0.0.0/0            0.0.0.0/0   
        
    0     0 DROP       tcp  --  *      eth1    0.0.0.0/0            
10.1.10.0/24        tcp flags:!0x17/0x02 
    0     0 net-all    all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall 4.4.13 Beta 6

Reply via email to