Tom Eastep wrote: > Brad Bendily wrote: >> On 10/10/07, Tom Eastep <[EMAIL PROTECTED]> wrote: >>> Nico Pagliaro wrote: >>>> What is the propose of the flag OPTIMEZE? >>> http://www.shorewall.net/manpages/shorewall.conf.html >>> >>> -Tom >>> >> So, i've read the definition of the OPTIMIZE flag: >> These extra rules can be eliminated by setting OPTIMIZE=1. >> The OPTIMIZE setting also controls the suppression of redundant >> wildcard rules (those specifying "all" in the SOURCE or DEST column). >> A wildcard rule is considered to be redundant when it has the same >> ACTION and Log Level as the applicable policy. >> >> What reason would we want to leave this at 0? Why is this an option? >> Wouldn't you always want it optimized? > > Making it unconditional could have broken existing configurations.
Example: Policy: #SOURCE DEST POLICY loc fw ACCEPT #ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT(S) ... ACCEPT loc:192.168.1.4 all tcp 22 REJECT loc fw tcp 22 Since the ACCEPT rule duplicates the policy for loc->fw, the loc->fw ACCEPT rule is not generated under OPTIMIZE=1. As a result, 192.168.1.4 can no longer connect to the firewall using SSH. The solution is to modify the ACCEPT rule: #ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT(S) ... ACCEPT! loc:192.168.1.4 all tcp 22 REJECT loc fw tcp 22 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
