On 05/11/2013 06:38 PM, Dash Four wrote: > > Tom Eastep wrote: >> On 5/11/13 6:11 PM, "Tom Eastep" <[email protected]> wrote: >> >> >>> On 5/11/13 5:51 PM, "Tom Eastep" <[email protected]> wrote: >>> >>> >>>> On 5/11/13 4:25 PM, "Dash Four" <[email protected]> wrote: >>>> >>>> >>>>> What I have as part of my configuration on one of the servers is a local >>>>> zone defined for the loopback interface, which has 5 ip addresses >>>>> (127.0.0.1-127.0.0.5). I see that shorewall has generated local2* >>>>> sub-chains in my local_frwd chain, as well as *2local for all other >>>>> zones, but these will *never* match any traffic. >>>>> >>>>> Is there a way this could be optimised away, perhaps with using a new >>>>> option for the interface ('local' maybe), indicating that this zone is >>>>> local and instruct shorewall not to attempt to generate all these >>>>> non-sensical sub-chains? >>>>> >>>> You can make them 'server' zones. >>>> >>> 'vserver' -- those are sub-zones of $FW >>> >> >> Or, you can use NONE policies to suppress the chains that make no sense. >> > How do I make a 'server' zone then? > > As for 'vserver', the man page tells me that "The zone contents must be > defined in 'hosts'". > > Using NONE in "policy" isn't any good either, because "NONE may not be > used if the SOURCE or DEST columns contain the firewall zone ($FW) or > 'all'". So, according to this, my intention to use something like "local > all NONE" and "all local NONE" isn't possible. Defining a NONE policy > for every conceivable combination of local2* and *2local simply isn't > practical.
Another option then is to define 'local' using the hosts file and specify the 'destonly' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
