I noticed an issue today where a DROP rule at the top of my rules was optimized out when OPTIMIZE=1. The rule was a wildcard rule and I know category 1 optimization does remove those, but it has a different log level, so I thought it would remain.
This is with shorewall version 4.4.10.3. Here are the files: ---------------------------------------------------------------------- interfaces: net eth0 loc eth1 zones: fw firewall net ipv4 loc ipv4 policy: loc net ACCEPT net all DROP all all REJECT info rules: DROP:info:BL net:1.1.1.1 all tcp smtp DNAT net loc:192.168.1.1 tcp smtp ---------------------------------------------------------------------- With OPTIMIZE=0, I get this: % shorewall compile -v1 -e . - | grep -E '(net2loc|log1)' :log1 - [0:0] :net2loc - [0:0] -A FORWARD -i eth0 -o eth1 -j net2loc -A log1 -j LOG --log-level 6 --log-prefix "Shorewall:net2loc:DROP:BL " -A log1 -j DROP -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A net2loc -p 6 --dport 25 -s 1.1.1.1 -g log1 -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT -A net2loc -g net2all With OPTIMIZE=1, I get this: % shorewall compile -v1 -e . - | grep net2loc :net2loc - [0:0] -A FORWARD -i eth0 -o eth1 -j net2loc -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT -A net2loc -g net2all The difference is that with OPTIMIZE=0, smtp traffic from 1.1.1.1 is dropped and logged. With OPTIMIZE=1, it is accepted. Is this a bug? -- David Rothenberger ---- [email protected] "Paul Lynde to block..." -- a contestant on "Hollywood Squares" ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
