Hi, In order to blacklist rfc1918 networks from the Internet, I use NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a minor problem which I think shorewall should warn before. One of the firewalls I configured had the 172.16.0.0/20 as the internal interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling NULL_ROUTE_RFC1918, routing for the internal interface disappeared and blacklisted. I think this behaviour conflicts with the manual, which says:
"...When combined with route filtering (ROUTE_FILTER=Yes or routefilter in shorewall-interfaces[9](5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses." I looked around for a way to customize this option to exclude 172.16/20, but it appears that there are none, so maybe shorewall should check for exact route matches before adding rfc1918 blacklists. Or is there another way to fix this? (Apart from narrowing the range of the internal network) Regards, -- Can Bican ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
