Tom Eastep wrote: > On 05/12/2013 07:33 AM, Tom Eastep wrote: > >> On 05/12/2013 07:14 AM, Tom Eastep wrote: >> >>> On 05/11/2013 06:38 PM, Dash Four wrote: >>> >>>> Tom Eastep wrote: >>>> >>>>> On 5/11/13 6:11 PM, "Tom Eastep" <[email protected]> wrote: >>>>> >>>>> >>>>> >>>>>> On 5/11/13 5:51 PM, "Tom Eastep" <[email protected]> wrote: >>>>>> >>>>>> >>>>>> >>>>>>> On 5/11/13 4:25 PM, "Dash Four" <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> What I have as part of my configuration on one of the servers is a >>>>>>>> local >>>>>>>> zone defined for the loopback interface, which has 5 ip addresses >>>>>>>> (127.0.0.1-127.0.0.5). I see that shorewall has generated local2* >>>>>>>> sub-chains in my local_frwd chain, as well as *2local for all other >>>>>>>> zones, but these will *never* match any traffic. >>>>>>>> >>>>>>>> Is there a way this could be optimised away, perhaps with using a new >>>>>>>> option for the interface ('local' maybe), indicating that this zone is >>>>>>>> local and instruct shorewall not to attempt to generate all these >>>>>>>> non-sensical sub-chains? >>>>>>>> >>>>>>>> >>>>>>> You can make them 'server' zones. >>>>>>> >>>>>>> >>>>>> 'vserver' -- those are sub-zones of $FW >>>>>> >>>>>> >>>>> Or, you can use NONE policies to suppress the chains that make no sense. >>>>> >>>>> >>>> How do I make a 'server' zone then? >>>> >>>> As for 'vserver', the man page tells me that "The zone contents must be >>>> defined in 'hosts'". >>>> >>>> Using NONE in "policy" isn't any good either, because "NONE may not be >>>> used if the SOURCE or DEST columns contain the firewall zone ($FW) or >>>> 'all'". So, according to this, my intention to use something like "local >>>> all NONE" and "all local NONE" isn't possible. Defining a NONE policy >>>> for every conceivable combination of local2* and *2local simply isn't >>>> practical. >>>> >>> Another option then is to define 'local' using the hosts file and >>> specify the 'destonly' option. >>> >> Please disregard -- just tried that and it doesn't work. >> >> > > It does work in the sense that there aren't rules that never match. It > fails in that there are a lot of unreferenced extra chains created. I'll > see what I can do about that (and I'll add the destonly option to the > interfaces file while I'm at it). > As I suggested earlier, the easiest way to implement this is to add an option to the interface (or zone?) definition which asks shorewall not to involve this interface (or zone) in any inter-chain rules (i.e. keep it local-only). That way all I have to do is add this option and forget messing about with "hosts" and stuff like that.
The 'local' interface/zone can't possibly have any matching rules from/to other interfaces/zones, so to me it makes a perfect sense to use that option. Is this doable? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
