Dash Four wrote: >> 2) An optimizer defect that could leave unreferenced chains in the >> configuration has been corrected. >> >> 3) Unreferenced chains in the IPV6 nat table are not omitted. >> >> New Features: >> >> 4) Two new interface options have been added. >> >> destonly >> >> Causes the compiler to omit rules to handle traffic arriving on >> the interface. >> > I'll test this option more thoroughly tomorrow. Either I don't fully understand what this option does, or something is wrong. When I have "destonly" in my interfaces for eth0 (eth0 is part of the "local" zone), I get the following:
-A OUTPUT -o eth0 -j fw2local [...] -A fw2local -m conntrack --ctstate ESTABLISHED -j ACCEPT -A fw2local -m conntrack --ctstate RELATED -j +fw2local -A fw2local -m conntrack --ctstate INVALID,UNTRACKED -j DROP -A fw2local -j ACCEPT [...] -A net2local -m conntrack --ctstate ESTABLISHED -j ACCEPT -A net2local -m conntrack --ctstate RELATED -j +net2local -A net2local -m conntrack --ctstate INVALID,UNTRACKED -j DROP -A net2local -j DROP Is this option for tracking traffic coming *into* that zone? If that is the case, then when I enter something like "ACCEPT local $FW tcp 8080" this is silently accepted, though no rule is generated. The correct course of action is to at least show a warning. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
