Tom Eastep wrote:
Shorewall 4.5.17 Beta 2 is now available for testing.
Problems corrected since Beta 1:
1) More issues with Shorewall-init have been corrected.
I am liking the new look of shorewall-init init.d script for Fedora,
though I found a couple of "loose ends" - see patch attached.
2) An optimizer defect that could leave unreferenced chains in the
configuration has been corrected.
3) Unreferenced chains in the IPV6 nat table are not omitted.
New Features:
4) Two new interface options have been added.
destonly
Causes the compiler to omit rules to handle traffic arriving on
the interface.
I'll test this option more thoroughly tomorrow.
local
Causes the compiler to only include rules to/from the firewall
itself for this interface.
This now seems to work, though I have a question:
Suppose I have 2 interfaces in my net zone: eth0 and eth1. What
shorewall seems to produce is the following:
-A FORWARD -i eth0 -j net_frwd
-A FORWARD -i eth1 -j net_frwd
[...]
-A net_frwd -o eth0 -j net2net
-A net_frwd -o eth1 -j net2net
From the look of things, eth0/eth1 can't be both incoming and outgoing
interface at the same time, right? In other words, a packet arriving on
eth0 can't get out of eth0, can it? Same goes for eth1. If so, then the
above group of statements needs to be optimised.
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -66,12 +66,11 @@
echo -n "Initializing \"Shorewall-based firewalls\": "
- retval=0
for PRODUCT in $PRODUCTS; do
setstatedir
retval=$?
- if [ $retval eq 0 ]; then
+ if [ $retval -eq 0 ]; then
if [ -x "${STATEDIR}/firewall" ]; then
${STATEDIR}/firewall stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
@@ -101,7 +100,6 @@
local vardir
echo -n "Clearing \"Shorewall-based firewalls\": "
- retval=0
for PRODUCT in $PRODUCTS; do
setstatedir
@@ -152,7 +150,7 @@
status $prog
;;
*)
- echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+ echo "Usage: $0 {start|stop|status}"
exit 1
esac
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
