On 05/28/2013 07:05 AM, Dash Four wrote:
>
> Tom Eastep wrote:
>> 1) Traditionally, Shorewall has treated the loopback interface ('lo')
>> as follows:
>>
>> - It deals with firewall-to-firewall, firewall-to-vserver,
>> vserver-to-firewall, and vserver-to-vserver traffic.
>> - All filtering is done in the OUTPUT flow; all traffic arriving on
>> 'lo' is silently accepted.
>> - If no firewall-to-firewall policy or rules are defined, then
>> a simple ACCEPT rule is also included in the OUTPUT chain for
>> 'lo' (after any vserver-oriented jumps).
>>
>> Beginning with this release, the handling of firewall-to-firewall
>> traffic can be altered by adding a zone of type 'loopback'.
>>
>> - 'loopback' zones must be associated with the loopback device in
>> the interfaces and/or hosts file.
>>
> interfaces
> ~~~~~~~~~~
> loc lo
>
> zones
> ~~~~~
> fw firewall
> loc ipv4
>
> ERROR: Only a local zone may be assigned to 'lo'
>
> zones
> ~~~~~
> fw firewall
> loc local
>
> ERROR: No IP zones defined
>
> This was encountered in RC1, don't know whether the same issue persist
> in RC2. I should be able to configure fw and a local zone only, without
> having shorewall wining like a little bitch. Also, the definition (and
> use) of ICMPv6 codes in shorewall is wrong:
>
> From shorewall's man page (that is also how the rules are emitted in
> "firewall"):
>
> ICMPv6:
> destination-unreachable => 1
> no-route' => 1/0
> communication-prohibited => 1/1
> address-unreachable' => 1/2
> port-unreachable' => 1/3
>
> The correct set of "destination-unreachable" ICMPv6 codes are as follows:
>
> ICMPv6 destination unreachable (type 1):
>
> 1/0 no route to destination
> 1/1 communication with destination administratively prohibited
> 1/2 beyond scope of source address
> 1/3 address unreachable
> 1/4 port unreachable
> 1/5 source address failed ingress/egress policy
> 1/6 reject route to destination
> 1/7 Error in Source Routing Header-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index fbea89e..3583f1e 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -506,6 +506,7 @@ sub process_zone( \$ ) {
} elsif ( $type eq 'local' ) {
push @local_zones, $zone;
$type = LOCAL;
+ $$ip = 1;
} elsif ( $type eq 'loopback' ) {
push @loopback_zones, $zone;
$type = LOOPBACK;
diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index a167ed7..3c235d5 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -768,8 +768,8 @@ my %ipv6_icmp_types = ( any => 'any', 'destination-unreachable' => 1, 'no-route' => '1/0', 'communication-prohibited' => '1/1', - 'address-unreachable' => '1/2', - 'port-unreachable' => '1/3', + 'address-unreachable' => '1/3', + 'port-unreachable' => '1/4', 'packet-too-big' => 2, 'time-exceeded' => 3, 'ttl-exceeded' => 3,
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
