Tom Eastep wrote: >> Is that for the extra ACCEPT rule for 'lo' or something else? >> > > It is for extra chains left behind. > > No traffic can come from the loopback device that hasn't already been > sent out of it. As a consequence, filtering in the INPUT chain is > superfluous and any 'local -> fw' rules will be optimized away with the > patch I sent earlier. All that will be left is the ACCEPT rule. > Hang on! I need to have local->fw and fw->local rules - they make perfect sense and I use them to restrict/log/report traffic. I just don't want to have inter-chain rules connecting to or coming out of local (or 'lo'), like net2local, local2net and so on.
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
