Tom Eastep wrote:
> 1) Traditionally, Shorewall has treated the loopback interface ('lo')
> as follows:
>
> - It deals with firewall-to-firewall, firewall-to-vserver,
> vserver-to-firewall, and vserver-to-vserver traffic.
> - All filtering is done in the OUTPUT flow; all traffic arriving on
> 'lo' is silently accepted.
> - If no firewall-to-firewall policy or rules are defined, then
> a simple ACCEPT rule is also included in the OUTPUT chain for
> 'lo' (after any vserver-oriented jumps).
>
> Beginning with this release, the handling of firewall-to-firewall
> traffic can be altered by adding a zone of type 'loopback'.
>
> - 'loopback' zones must be associated with the loopback device in
> the interfaces and/or hosts file.
>
interfaces
~~~~~~~~~~
loc lo
zones
~~~~~
fw firewall
loc ipv4
ERROR: Only a local zone may be assigned to 'lo'
zones
~~~~~
fw firewall
loc local
ERROR: No IP zones defined
This was encountered in RC1, don't know whether the same issue persist
in RC2. I should be able to configure fw and a local zone only, without
having shorewall wining like a little bitch. Also, the definition (and
use) of ICMPv6 codes in shorewall is wrong:
From shorewall's man page (that is also how the rules are emitted in
"firewall"):
ICMPv6:
destination-unreachable => 1
no-route' => 1/0
communication-prohibited => 1/1
address-unreachable' => 1/2
port-unreachable' => 1/3
The correct set of "destination-unreachable" ICMPv6 codes are as follows:
ICMPv6 destination unreachable (type 1):
1/0 no route to destination
1/1 communication with destination administratively prohibited
1/2 beyond scope of source address
1/3 address unreachable
1/4 port unreachable
1/5 source address failed ingress/egress policy
1/6 reject route to destination
1/7 Error in Source Routing Header
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
