On 7/9/10 12:50 PM, David Rothenberger wrote: > I noticed an issue today where a DROP rule at the top of my rules > was optimized out when OPTIMIZE=1. The rule was a wildcard rule and > I know category 1 optimization does remove those, but it has a > different log level, so I thought it would remain. > > This is with shorewall version 4.4.10.3. > > Here are the files: > ---------------------------------------------------------------------- > interfaces: > net eth0 > loc eth1 > > zones: > fw firewall > net ipv4 > loc ipv4 > > policy: > loc net ACCEPT > net all DROP > all all REJECT info > > rules: > DROP:info:BL net:1.1.1.1 all tcp smtp > DNAT net loc:192.168.1.1 tcp smtp > ---------------------------------------------------------------------- > > With OPTIMIZE=0, I get this: > > % shorewall compile -v1 -e . - | grep -E '(net2loc|log1)' > :log1 - [0:0] > :net2loc - [0:0] > -A FORWARD -i eth0 -o eth1 -j net2loc > -A log1 -j LOG --log-level 6 --log-prefix "Shorewall:net2loc:DROP:BL " > -A log1 -j DROP > -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A net2loc -p 6 --dport 25 -s 1.1.1.1 -g log1 > -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT > -A net2loc -g net2all > > With OPTIMIZE=1, I get this: > > % shorewall compile -v1 -e . - | grep net2loc > :net2loc - [0:0] > -A FORWARD -i eth0 -o eth1 -j net2loc > -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT > -A net2loc -g net2all > > The difference is that with OPTIMIZE=0, smtp traffic from 1.1.1.1 is > dropped and logged. With OPTIMIZE=1, it is accepted. > > Is this a bug? >
No. It is the way that OPTIMIZE=1 works; if a rule containing 'all'
matches the applicable policy, then the rule is omitted. To make this
work with OPTIMIZE=1, you must use:
DROP!:info:BL net:1.1.1.1 all tcp smtp
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
