I dont have undestand at all the example, why 192.168.1.4 wont connect to
the fw? because it have "all" in the rule?
On 10/10/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> Tom Eastep wrote:
> > Brad Bendily wrote:
> >> On 10/10/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
> >>> Nico Pagliaro wrote:
> >>>> What is the propose of the flag OPTIMEZE?
> >>> http://www.shorewall.net/manpages/shorewall.conf.html
> >>>
> >>> -Tom
> >>>
> >> So, i've read the definition of the OPTIMIZE flag:
> >> These extra rules can be eliminated by setting OPTIMIZE=1.
> >> The OPTIMIZE setting also controls the suppression of redundant
> >> wildcard rules (those specifying "all" in the SOURCE or DEST column).
> >> A wildcard rule is considered to be redundant when it has the same
> >> ACTION and Log Level as the applicable policy.
> >>
> >> What reason would we want to leave this at 0? Why is this an option?
> >> Wouldn't you always want it optimized?
> >
> > Making it unconditional could have broken existing configurations.
>
> Example:
>
> Policy:
> #SOURCE DEST POLICY
> loc fw ACCEPT
>
> #ACTION SOURCE DEST PROTO DEST SOURCE
>
> # PORT PORT(S)
> ...
> ACCEPT loc:192.168.1.4 all tcp 22
> REJECT loc fw tcp 22
>
>
> Since the ACCEPT rule duplicates the policy for loc->fw, the loc->fw
> ACCEPT rule is not generated under OPTIMIZE=1. As a result, 192.168.1.4
> can no longer connect to the firewall using SSH.
>
> The solution is to modify the ACCEPT rule:
>
> #ACTION SOURCE DEST PROTO DEST SOURCE
>
> # PORT PORT(S)
> ...
> ACCEPT! loc:192.168.1.4 all tcp 22
> REJECT loc fw tcp 22
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
