Brian J. Murrell wrote:
I would like eventually to get Shorewall entirely out of the routing business because I really think that routing should be controlled separately from the firewall. There is no earthly reason why restarting the firewall should have to rebuild the policy routing configuration (although that can be avoided by using the '-r' option of restart).My 4.0.6 does not show a -r option to restart.
Sorry -- I meant '-n'.
But yes, I agree that policy routing and general firewalling are only very loosely related if at all and only by nature of the firewalling rules marking packets for policy routing. In that latter case, it just makes it easier to build the policy routes from the same configuration source that is marking the packets rather than having to keep two completely unrelated and separate software packages in sync (i.e. wrt to routing policy marks). Perhaps your feeling is that Shorewall should not even be touching the mangle chains and that some policy routing package should be doing that.
It may need to be cooperative where Shorewall creates the overall infrastructure and the policy routing package fills in the appropriate chains (it can do that with iptables-restore without wiping out the entire table).
Similarly, there should be no need to reload the Netfilter ruleset to change the policy routing configurationIndeed!(although the 'refresh' command under Shorewall-perl does that to a large extent).Oh? Does it? Now that would be nice. Ahhh. But you said Shorewall-perl. I suppose there is no parallel operation for shorewall-lite?
Not really. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
