Tom Eastep wrote: > Tuomo Soini wrote: >> Tom Eastep wrote: >> >>> Anyone have something on their wish list that we might want to add to 4.4? >> I'd like to suggest possibility to limit meaning of interface on >> interfaces file so you could limit interface to certain network only. >> And other thing: when interface is configured to some address this way >> this same source address would be disabled on other interfaces by >> default. So that ingress and egress filtering would be done properly by >> netfilter. >> >> I know this kind of configuration is not optiomal for one machine only >> firewall configuration but it's very good for real firewall setups. >> >> Other way to get this is to change documentation for two interface and >> three interface guides to prefer hosts over interfaces. But I'd really >> like to see this done more secure way one way or another. >> > > Doesn't simply setting the 'routefilter' option on the internal > interfaces do this for you? We can certainly change the two- and > three-interface samples to do that. > > Currently, they set 'routefilter' on the 'net' interface which is silly > since that interface will have the default route.
Shorewall 4.3.5 and 4.3.6 have a nets=(...) option that does what Tuomo suggested above. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
