Nico Pagliaro wrote: > I dont have undestand at all the example, why 192.168.1.4 > <http://192.168.1.4> wont connect to the fw? because it have "all" in > the rule?
Nico -- please don't top-post. > Example: > > Policy: > #SOURCE DEST POLICY > loc fw ACCEPT > > #ACTION SOURCE DEST PROTO DEST SOURCE > > # PORT PORT(S) > ... > ACCEPT loc:192.168.1.4 all > tcp 22 > REJECT loc fw tcp 22 Let's assume that the zones file is: fw firewall net ipv4 loc ipv4 dmz ipv4 When processing the first rule above, the Shorewall compiler expands it into three rules: ACCEPT loc:192.168.1.4 fw ACCEPT loc:192.168.1.4 net ACCEPT loc:192.168.1.4 dmz It does not include a loc->loc rule; it only would do that if the DEST column contained 'all+'. Now the first rule appears to be superfluous because the loc->fw policy is ACCEPT. So with OPTIMIZE=1, the rule is omitted from the ruleset. This only happens with wildcard rules (those containing some form of 'all' in either SOURCE or DEST). If the rules file would have contained the first rule explicitly, it would not have been omitted. As I mentioned in the previous email, if the ACTION is followed by "!", no wildcard optimization occurs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
