Tom Eastep wrote:
> Tom Eastep wrote:
>
>> Robert Moskowitz wrote:
>>
>>> I have 2 interfaces: Pub and VoIP
>>>
>>> I need to allow port 80 into VoIP (FreePBX functions), and 80 out (yum
>>> updates), so I have the rules:
>>>
>>> ACCEPT Pub VoIP tcp 80
>>> ACCEPT VoIP Pub tcp 80
>>> ACCEPT fw Pub tcp 80
>>>
>>>
>>> Seems this can be expressed in one rule:
>>>
>>> ACCEPT all all- tcp 80
>>>
>>>
>>> Is the one rule 'faster' than the three?
>>>
>> No -- Shorewall expands the one rule into three.
>>
>>
>
> Actually, it expands into 4 rules:
>
> Pub->Voip
> Voip->Pub
> fw->Voip
> fw->Pub
And thus another exercise in the danger of too general of a rule.
The fw->VoIP does not hurt; in this case. But we see the point....
So now I will go over my general rules.
Where I need bi-directional session initiation, I have used the form:
ACCEPT all- all- {tcp|udp} <port list>
this does seem to only expand to the rules:
ACCEPT Pub VoIP {tcp|udp} <port list>
ACCEPT VoIP Pub {tcp|udp} <port list>
.....
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
