On 09/18/2010 08:58 AM, Tom Eastep wrote: > On 09/17/2010 08:22 PM, Tom Eastep wrote: >> On 9/17/10 4:31 PM, Tom Eastep wrote: >> >>> >>> COM_IF_fwd is similar. >>> >>> I'm not sure whether or not I'll be able to do anything about this in >>> the short term. >>> >> >> This is a natural consequence of making blacklisting a zone-related >> attribute rather than an interface-related attribute. Interface-oriented >> filtering comes first; so if more than one zone shares an >> Internet-facing interface then interface-related filtering can occur >> prior to zone-related filtering. > > I have added logic to promote jumps to 'blacklst' ahead of > interface-specific filtering rules. See the attached output.
For those of you who may be curious about COM_IF_in, the 'dmz' zone is a *vserver* zone with vservers 172.20.1.124 and 172.20.1.125. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
