On 5/26/13 4:48 PM, "Dash Four" <[email protected]> wrote:
> > >Tom Eastep wrote: >> On 5/26/13 4:15 PM, "Dash Four" <[email protected]> wrote: >> >> >>> Tom Eastep wrote: >>> >>>> On 5/26/13 3:16 PM, "Dash Four" <[email protected]> wrote: >>>> >>>> >>>> >>>>> Tom Eastep wrote: >>>>> >>>>> >>>>>>> Well, in that case you need to call the first option "loopback" >>>>>>> (because >>>>>>> that's what this really is, it isn't "local") and the second >>>>>>>"local". >>>>>>> >>>>>>> Both should only have fw2<X> and <X>2fw chains (X being the >>>>>>>loopback >>>>>>> and >>>>>>> local zones) and in addition, for the local zone, there should also >>>>>>> be >>>>>>> local2local chain in case where there is more than one interface >>>>>>> defined >>>>>>> for that local zone. >>>>>>> >>>>>>> >>>>>>> >>>>>> We're on the same page. I've just about finished implementing >>>>>>exactly >>>>>> what >>>>>> you describe. >>>>>> >>>>>> >>>>>> >>>>> Forgot to add something which should be pretty obvious given what was >>>>> discussed earlier - neither options should have the lo-only >>>>> restriction. >>>>> >>>>> >>>> Loopback will still have that restriction. >>>> >>>> >>> What happens when I only have one device in a zone called "local" with >>> the "local" option set? If I am to assume that shorewall will do the >>> right thing and eliminate the local2local chain, then what would be the >>> difference between that zone and the "loopback" zone? >>> >> >> If you also have 'local1' of type local, then you will have >>'local12local' >> and local2local1' (since local zones can communicate with each other). >> >That's not what I asked, is it? So I'll repeat it again (cut-and-paste >from my post above): > >What happens when I only have one device in a zone called "local" with >the "local" option set? If I am to assume that shorewall will do the >right thing and eliminate the local2local chain (question one), then >what would be the difference between that zone and the "loopback" zone >(question two)? All traffic sent from the firewall to the loopback zone will also be sent from the loopback zone to the firewall. In all of that traffic, the SOURCE and DESTINATION IP addresses will be addresses defined on interfaces on the firewall itself. That is a unique characteristic of the loopback device which is not shared by other interfaces. So the loopback zone has unique characteristics not shared by other ipvX zones. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
