> When the source is $FW, there is no source interface. > In other words, "a:11 - 10.1.1.1 tcp 22" is exactly the same as "a:11 $FW 10.1.1.1 tcp 22". Why is that?
To me, when $FW is specified shorewall should then pick up the IP address of the interface to which the specified class belongs (eth0 in this case as "a:11" is defined for eth0) and when the actual device is specified, i.e. "a:11 eth0 10.1.1.1 tcp 22", then enforce the use of that interface in the iptables statement instead (it should also give an error if "a:11 tun0 10.1.1.1 tcp 22" is specified as the class "belongs" to eth0 and that statement will *never* return any matches). Of course, when "a:11 - 10.1.1.1 tcp 22" is specified then no IP address will be included in the iptables statement, but the use of eth0 should really be enforced as this class make sense (i.e. likely to return matches) only on that interface. > The two rules you want are: > > a:11 $FW eth0:10.1.1.1 tcp 22 > b:11 $FW tun0:10.1.1.1 tcp 22 > I thought I wasn't allowed to do that. Is there any reason why shorewall moans when I specify "a:11 eth0 10.1.1.1 tcp 22" and I get the 2 warnings - that to me looks a perfectly legitimate statement (and eth0 is up and running so it has a valid IP address, not to mention that the "tun0 does not exists" message I also get is a complete and utter joke)? I also don't see why I should prefix source interface with destination address and place all this in the destination column - it is quite confusing and has nothing to do with the destination, quite frankly! Specifying the source interface in the source column (and ask shorewall to take the name of that interface rather than its IP address) seems the more logical choice, don't you think? Besides, not specifying any interface - like "a:11 $FW 10.1.1.1 tcp 22" for example - makes sense *only* for one interface - eth0 (for tun0 that statement will *never* return a match), so I do not know why shorewall can't pick that "automatically" so to speak (by "looking" at the interface of the class for which this statement refers), or, even better, enforce the use of that interface (eth0 in this case) as the class defined makes sense only for that interface and no other? It is very similar scenario with ifbX devices as well - the class(es) in use will only make sense (i.e. return matches) on one interface only - that of the class' interface. ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
