On 5/26/13 4:15 PM, "Dash Four" <[email protected]> wrote:
> > >Tom Eastep wrote: >> On 5/26/13 3:16 PM, "Dash Four" <[email protected]> wrote: >> >> >>> Tom Eastep wrote: >>> >>>>> Well, in that case you need to call the first option "loopback" >>>>> (because >>>>> that's what this really is, it isn't "local") and the second "local". >>>>> >>>>> Both should only have fw2<X> and <X>2fw chains (X being the loopback >>>>> and >>>>> local zones) and in addition, for the local zone, there should also >>>>>be >>>>> local2local chain in case where there is more than one interface >>>>> defined >>>>> for that local zone. >>>>> >>>>> >>>> We're on the same page. I've just about finished implementing exactly >>>> what >>>> you describe. >>>> >>>> >>> Forgot to add something which should be pretty obvious given what was >>> discussed earlier - neither options should have the lo-only >>>restriction. >>> >> >> Loopback will still have that restriction. >> >What happens when I only have one device in a zone called "local" with >the "local" option set? If I am to assume that shorewall will do the >right thing and eliminate the local2local chain, then what would be the >difference between that zone and the "loopback" zone? If you also have 'local1' of type local, then you will have 'local12local' and local2local1' (since local zones can communicate with each other). They cannot, however, communicate with a loopback zone; only the firewall and vserver zones can do that (since vserver zones are sub-zones of $FW). -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
