Tom Eastep wrote: > Matt Stocum wrote: > >> The bridge approach so far is working, and has the ?nice? side effect >> of hiding the firewall from traceroute. The one issue I did find is >> that the firewall is logging a lot of dropped packets that aren't >> destined for any of the hosts behind the firewall. For some reason >> traffic to a few hosts on the network is apparently being broadcast, >> instead of directed to one specific port on a switch. My solution was >> to add the following line to the end of >> /usr/share/shorewall/action.Drop >> >> DROP - !$ALLHOSTS >> >> Where $ALLHOSTS is defined in params to be a list of all of my hosts. >> Is there a better, more automatic way, that I can tell Shorewall to >> ignore any traffic not destined for a host on the protected side of >> the firewall? > > It is never a good idea to modify any file in /usr/share/shorewall. Next > time you upgrade, your change will get wiped out. The recommended method > is to copy the file you want to change to /etc/shorewall and then to > modify the copy. > > A more straight-forward way to approach this would be to add the > appropriate simple DROP rules to your rules file. >
It would also be a good idea to identify the source of this traffic and to understand why it is being passed to your router/firewall. It's presence may signal a network and/or switch configuration issue. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
