Tom Eastep wrote: > On 5/11/13 6:11 PM, "Tom Eastep" <[email protected]> wrote: > > >> On 5/11/13 5:51 PM, "Tom Eastep" <[email protected]> wrote: >> >> >>> On 5/11/13 4:25 PM, "Dash Four" <[email protected]> wrote: >>> >>> >>>> What I have as part of my configuration on one of the servers is a local >>>> zone defined for the loopback interface, which has 5 ip addresses >>>> (127.0.0.1-127.0.0.5). I see that shorewall has generated local2* >>>> sub-chains in my local_frwd chain, as well as *2local for all other >>>> zones, but these will *never* match any traffic. >>>> >>>> Is there a way this could be optimised away, perhaps with using a new >>>> option for the interface ('local' maybe), indicating that this zone is >>>> local and instruct shorewall not to attempt to generate all these >>>> non-sensical sub-chains? >>>> >>> You can make them 'server' zones. >>> >> 'vserver' -- those are sub-zones of $FW >> > > Or, you can use NONE policies to suppress the chains that make no sense. > How do I make a 'server' zone then?
As for 'vserver', the man page tells me that "The zone contents must be defined in 'hosts'". Using NONE in "policy" isn't any good either, because "NONE may not be used if the SOURCE or DEST columns contain the firewall zone ($FW) or 'all'". So, according to this, my intention to use something like "local all NONE" and "all local NONE" isn't possible. Defining a NONE policy for every conceivable combination of local2* and *2local simply isn't practical. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
