On 5/12/13 9:04 AM, "Dash Four" <[email protected]> wrote:
> >Tom Eastep wrote: >> On 05/12/2013 07:58 AM, Dash Four wrote: >> >>> As I suggested earlier, the easiest way to implement this is to add an >>> option to the interface (or zone?) definition which asks shorewall not >>> to involve this interface (or zone) in any inter-chain rules (i.e. >>>keep >>> it local-only). That way all I have to do is add this option and >>>forget >>> messing about with "hosts" and stuff like that. >>> >>> The 'local' interface/zone can't possibly have any matching rules >>> from/to other interfaces/zones, so to me it makes a perfect sense to >>>use >>> that option. Is this doable? >>> >> >> Patch attached. It has uncovered an optimizer bug that is leaving a few >> unreferenced chains behind; I'll chase that today. >> >Thanks, I'll test this later when I have the chance and will let you >know. Is this option for the zone or the interface? Interface. It is specifically targeted at the loopback device. Note that Shorewall automatically generates an ACCEPT rule in the INPUT flow for that device, so all filtering occurs in the OUTPUT chain. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
