On 05/13/2013 07:22 AM, Dash Four wrote: > > > Tom Eastep wrote: >> On 05/13/2013 04:59 AM, Dash Four wrote: >> >>> Dash Four wrote: >>> >>>> Suppose I have 2 interfaces in my net zone: eth0 and eth1. What >>>> shorewall seems to produce is the following: >>>> >>>> -A FORWARD -i eth0 -j net_frwd >>>> -A FORWARD -i eth1 -j net_frwd >>>> [...] >>>> -A net_frwd -o eth0 -j net2net >>>> -A net_frwd -o eth1 -j net2net >>>> >>>> From the look of things, eth0/eth1 can't be both incoming and outgoing >>>> interface at the same time, right? In other words, a packet arriving >>>> on eth0 can't get out of eth0, can it? Same goes for eth1. If so, then >>>> the above group of statements needs to be optimised. >>>> >>> Please ignore the above - I wasn't thinking 4th dimensionally. >>> >>> Even though there is one extra rule to traverse per interface (which >>> will never produce a match, like -i eth0 -o eth0 in the above example), >>> this approach is better because it uses a single <zone>_frwd chain for >>> all interfaces in the same zone, as oppose to creating separate chains >>> for each interface. Having said all that, net2net has a default policy >>> of ACCEPT (ignoring what I already specified in "policy"), which needs >>> to be corrected, but you already know that. >>> >> >> I assume that you have not specified an explicit net->net policy? >> > Correct, but I do have "all all DROP" (I can't add "all+ all+ DROP" in > policy yet, can I?).
No -- not yet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
