On 9/13/10 1:15 AM, Mr Dash Four wrote: > >> Shorewall has one source-match generator and one destination-match >> generator that are used anytime an address match is needed; both accept >> ipsets. >> > So Source/Destination works the same way no matter where it is > specified? Makes perfect sense from a programmers point of view and > makes policy-writing consistent across the board.
Yes and Yes. > >> Don't know if you noticed but destination blacklisting should now work >> that way you prefer. Just don't look for a jump in fw2net; blacklisting >> occurs before that chain is entered. >> > I didn't notice this until your comment above and then read it in the > release notes for beta4. That's very good and it was needed - I had to > maintain 2 separate files, not to mention that I had to include all > interfaces in the blacklisted ipsets. I take it this now works across > all interfaces (no matter how many are on the host system) and in both > directions, right? No -- please read the documentation again. You need blacklist=1 on Internet-facing interfaces and blacklist=2 on the other interfaces for which you wish to enable destination blacklisting. But you only need to maintain one blacklist (/etc/shorewall/blacklist). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
