Great, thanks. Although the packet arrives first on a local interface the feature has to be turned off on the outgoing interface and not on the local (incoming) one, right?
Cheers Mike -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:[email protected]] Gesendet: Freitag, 16. April 2010 17:52 An: Shorewall Users Betreff: Re: [Shorewall-users] Route availability check Michael Weickel - iQom Business Services GmbH wrote: > Hi list, > > is it true that Shorewall is not willing to forward traffic from a source-ip > which is not reachable by a static route from Shorewall itself? To say it on > another way. If Shorewall´s routing interface is neither connected nor able > to reach that source ip does it forward or deny it? > > So the situation is the following. I send from an ip which is not part of > interface nor hosts file. But Shorewall should forward that packet as well > matching the default route without knowing a way back to the source ip. > > All I see is a packet arriving on the local interface but I dont see it to > leave the eternal one nor I see any drop or reject by shorewall. If I tell > Shorewall the route to the source ip it works fine but I dont want this > route to be configured and I want to know if this is maybe a Shorewall > feature which can be turned off? And if it is a Shorewall feature does > anybody knows if there is an article to read about? > > The same feature is available von Cisco, there it is called > ip-verify-unicast-source-reachable. In Shorewall, it's called route filtering. In the kernel, it's called Reverse-path filtering. Both Shorewall and sysctl.conf can be used to control it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
