The more I have thought about it, the less that I like 'local' being an interface option. In this Beta, 'local' changes to being a zone type.
1) A new interface option has been added.
destonly
Causes the compiler to omit rules to handle traffic arriving on
the interface.
2) It is now possible to use 'all+' in the SOURCE and DEST columns of
/etc/shorewall[6]/policy file. It has the same meaning as in the
rules file in that it can override default intra-zone ACCEPT
policies.
3) Beginning with this release, most special handling of 'Auth' (TCP
port 113) has been removed. In particular, the Drop default action
will no longer default to silently REJECTing Auth requests but will
rather simply process them like other tcp packets.
4) Traditionally, Shorewall has treated the loopback interface ('lo')
as follows:
- It deals with firewall-to-firewall, firewall-to-vserver,
vserver-to-firewall, and vserver-to-vserver traffic.
- All filtering is done in the OUTPUT flow; all traffic arriving on
'lo' is silently accepted.
- If no firewall-to-firewall policy or rules are defined, then
a simple ACCEPT rule is also included in the OUTPUT chain for
'lo' (after any vserver-oriented jumps).
Beginning with this release, the handling of firewall-to-firewall
traffic can be altered by adding a zone of type 'local'.
- The 'local' zone must be associated with the loopback device in
the interfaces file.
/etc/shorewall/zones
#ZONE TYPE
local local
/etc/shorewall/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
local lo ...
When this is done, the ACCEPT jumps for 'lo' in the INPUT and
OUTPUT chains are omitted and replaced with jumps to the local2fw
and fw2local (local-fw and fw-local) chains respectively. This
provides a model similar to other zones for fireall-to-firewall
traffic.
When a local zone is defined, the firewall-to-firewall policy
must be ACCEPT in order to avoid superfluous rules and chains.
Definition of a local zone together with definition of vserver
zones is currently disallowed.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
