Tom Eastep wrote: > On 05/26/2013 08:25 AM, Tom Eastep wrote: > >> On 05/26/2013 08:22 AM, Dash Four wrote: >> >>> Tom Eastep wrote: >>> >>>> On 5/25/13 6:35 PM, "Dash Four" <[email protected]> wrote: >>>> >>>> >>>>> Tom Eastep wrote: >>>>> >>>>> >>>>>> 4.5.17 RC 1 is now available for testing. >>>>>> >>>>>> Changes since Beta 3: >>>>>> >>>>>> 1) A 'local' zone now works correctly with 'destonly' specified on the >>>>>> loopback device. >>>>>> >>>>>> >>>>>> >>>>> ERROR: The local zone may only me assigned to 'lo' >>>>> /etc/shorewall/interfaces >>>>> >>>>> Says who, exactly? I should be able to assign the local zone to >>>>> whichever network adapter I damn well please! >>>>> >>>>> >>>> As the Rolling Stones say, you can't always get what you want. Especially >>>> when you ask like that. >>>> >>>> >>> Well, in this case, I will have to use start/started to manually delete >>> all the <all>2local and local2<all> crap shorewall placed in my own >>> firewall and be done with it and not bother with this next-to-useless >>> "local" zone option at all. >>> >>> If it was just the loopback interface your recent changes have targeted, >>> then, maybe, just maybe, you should have called this option "loopback" >>> instead to make it clearer. >>> >>> Personally, I won't be using this, as your "local" solution is neither >>> here nor there - my intention was, and always has been, to isolate the >>> local zone from all other zones I have defined (be it based on the >>> loopback interface or lo:X interfaces, or some other interfaces bound to >>> the 127.x.x.x address I have defined in advance) and exercise a degree >>> of control over its traffic. Currently, your "local" solution falls well >>> short of that. >>> >> The lo:X thingies are not interfaces; they are simply labeled addresses >> on interface 'lo'. >> >> > > My point is that the iptables match '-i dev:1' never matches, when > 'dev:1' is a 'virtual' interface on interface 'dev'. > > What I can do is allow multiple local zones where nesting is allowed > between local zones. That allows rather fine-grained control over > $FW->$FW traffic based on zones. > The point I was trying to make is for you to drop the restriction on 'lo'. As I already pointed out, I could have other "local" devices within the 127.x.x.x range, not just 'lo'. I don't mind having to shoe-horn virtual devices (lo:X for example) into the same device/zone either - that's fine by me, no problem.
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
