On 8/23/10 4:53 PM, Steven Jan Springl wrote: > On Tuesday 24 August 2010 00:33:51 Tom Eastep wrote: >> On 8/23/10 4:18 PM, Tom Eastep wrote: >>> On 8/23/10 4:08 PM, Steven Jan Springl wrote: >>>> Tom >>>> >>>> The attached config contains just 2 rules. >>>> The first rule correctly generates the following iptables rules: >>>> >>>> -A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT >>>> -A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT >>>> >>>> However, the second rule generates the following iptables rules: >>>> >>>> -A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT >>>> -A dmz2dmz -j ACCEPT >>>> >>>> Is this correct? >>> >>> The second iptables rule is generated by the implicit dmz->dmz ACCEPT >>> policy. However, your second rule should have generated no iptables >>> rules since you specified 'all' rather than 'all+'. >>> >>> I'll take a look. >> >> Commit d74af30368026d4c6c0647bde93e6e35f019bd73 correctly suppresses >> intra-zone rule generation when exclusion results in a single zone. >> > > Tom > > Thanks you.
Unfortunately, that change caused zone lists to lose their wildcard properties. Fixed by 383e7928079d5a8f93d2f9c4ce85c042e39d7a94. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
