On 05/12/2013 07:14 AM, Tom Eastep wrote: > On 05/11/2013 06:38 PM, Dash Four wrote: >> >> Tom Eastep wrote: >>> On 5/11/13 6:11 PM, "Tom Eastep" <[email protected]> wrote: >>> >>> >>>> On 5/11/13 5:51 PM, "Tom Eastep" <[email protected]> wrote: >>>> >>>> >>>>> On 5/11/13 4:25 PM, "Dash Four" <[email protected]> wrote: >>>>> >>>>> >>>>>> What I have as part of my configuration on one of the servers is a local >>>>>> zone defined for the loopback interface, which has 5 ip addresses >>>>>> (127.0.0.1-127.0.0.5). I see that shorewall has generated local2* >>>>>> sub-chains in my local_frwd chain, as well as *2local for all other >>>>>> zones, but these will *never* match any traffic. >>>>>> >>>>>> Is there a way this could be optimised away, perhaps with using a new >>>>>> option for the interface ('local' maybe), indicating that this zone is >>>>>> local and instruct shorewall not to attempt to generate all these >>>>>> non-sensical sub-chains? >>>>>> >>>>> You can make them 'server' zones. >>>>> >>>> 'vserver' -- those are sub-zones of $FW >>>> >>> >>> Or, you can use NONE policies to suppress the chains that make no sense. >>> >> How do I make a 'server' zone then? >> >> As for 'vserver', the man page tells me that "The zone contents must be >> defined in 'hosts'". >> >> Using NONE in "policy" isn't any good either, because "NONE may not be >> used if the SOURCE or DEST columns contain the firewall zone ($FW) or >> 'all'". So, according to this, my intention to use something like "local >> all NONE" and "all local NONE" isn't possible. Defining a NONE policy >> for every conceivable combination of local2* and *2local simply isn't >> practical. > > > Another option then is to define 'local' using the hosts file and > specify the 'destonly' option.
Please disregard -- just tried that and it doesn't work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
