On 5/13/13 4:40 PM, "Dash Four" <[email protected]> wrote:
> > >Dash Four wrote: >>> 2) An optimizer defect that could leave unreferenced chains in the >>> configuration has been corrected. >>> >>> 3) Unreferenced chains in the IPV6 nat table are not omitted. >>> >>> New Features: >>> >>> 4) Two new interface options have been added. >>> >>> destonly >>> >>> Causes the compiler to omit rules to handle traffic arriving on >>> the interface. >>> >> I'll test this option more thoroughly tomorrow. >Either I don't fully understand what this option does, or something is >wrong. When I have "destonly" in my interfaces for eth0 (eth0 is part of >the "local" zone), I get the following: > >-A OUTPUT -o eth0 -j fw2local >[...] >-A fw2local -m conntrack --ctstate ESTABLISHED -j ACCEPT >-A fw2local -m conntrack --ctstate RELATED -j +fw2local >-A fw2local -m conntrack --ctstate INVALID,UNTRACKED -j DROP >-A fw2local -j ACCEPT >[...] >-A net2local -m conntrack --ctstate ESTABLISHED -j ACCEPT >-A net2local -m conntrack --ctstate RELATED -j +net2local >-A net2local -m conntrack --ctstate INVALID,UNTRACKED -j DROP >-A net2local -j DROP > >Is this option for tracking traffic coming *into* that zone? If that is >the case, then when I enter something like "ACCEPT local $FW tcp 8080" >this is silently accepted, though no rule is generated. The correct >course of action is to at least show a warning. Actually, the rule is generated but then optimized away. So the warning will need to be issued when the 'local2fw' chain contains rules but, we don't generate any jumps to it. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
