On 05/12/2013 07:33 AM, Tom Eastep wrote: > On 05/12/2013 07:14 AM, Tom Eastep wrote: >> On 05/11/2013 06:38 PM, Dash Four wrote: >>> >>> Tom Eastep wrote: >>>> On 5/11/13 6:11 PM, "Tom Eastep" <[email protected]> wrote: >>>> >>>> >>>>> On 5/11/13 5:51 PM, "Tom Eastep" <[email protected]> wrote: >>>>> >>>>> >>>>>> On 5/11/13 4:25 PM, "Dash Four" <[email protected]> wrote: >>>>>> >>>>>> >>>>>>> What I have as part of my configuration on one of the servers is a local >>>>>>> zone defined for the loopback interface, which has 5 ip addresses >>>>>>> (127.0.0.1-127.0.0.5). I see that shorewall has generated local2* >>>>>>> sub-chains in my local_frwd chain, as well as *2local for all other >>>>>>> zones, but these will *never* match any traffic. >>>>>>> >>>>>>> Is there a way this could be optimised away, perhaps with using a new >>>>>>> option for the interface ('local' maybe), indicating that this zone is >>>>>>> local and instruct shorewall not to attempt to generate all these >>>>>>> non-sensical sub-chains? >>>>>>> >>>>>> You can make them 'server' zones. >>>>>> >>>>> 'vserver' -- those are sub-zones of $FW >>>>> >>>> >>>> Or, you can use NONE policies to suppress the chains that make no sense. >>>> >>> How do I make a 'server' zone then? >>> >>> As for 'vserver', the man page tells me that "The zone contents must be >>> defined in 'hosts'". >>> >>> Using NONE in "policy" isn't any good either, because "NONE may not be >>> used if the SOURCE or DEST columns contain the firewall zone ($FW) or >>> 'all'". So, according to this, my intention to use something like "local >>> all NONE" and "all local NONE" isn't possible. Defining a NONE policy >>> for every conceivable combination of local2* and *2local simply isn't >>> practical. >> >> >> Another option then is to define 'local' using the hosts file and >> specify the 'destonly' option. > > Please disregard -- just tried that and it doesn't work. >
It does work in the sense that there aren't rules that never match. It fails in that there are a lot of unreferenced extra chains created. I'll see what I can do about that (and I'll add the destonly option to the interfaces file while I'm at it). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
