On 5/7/11 5:11 AM, Mr Dash Four wrote: > >> When the source is $FW, there is no source interface. >> > In other words, "a:11 - 10.1.1.1 tcp 22" is exactly the same as "a:11 > $FW 10.1.1.1 tcp 22". Why is that?
Normally, $FW is used to trigger placement of the rule in the OUTPUT chain (actually, in the 'tcout') chain. When a classifier is listed in the first column however, that is overridden and the rule is placed in the POSTROUTING (tcpost) chain. iptables/Netfilter only supports CLASSIFY rules in that chain. > > To me, when $FW is specified shorewall should then pick up the IP > address of the interface to which the specified class belongs (eth0 in > this case as "a:11" is defined for eth0) and when the actual device is > specified, i.e. "a:11 eth0 10.1.1.1 tcp 22", then enforce the use of > that interface in the iptables statement instead (it should also give an > error if "a:11 tun0 10.1.1.1 tcp 22" is specified as the class "belongs" > to eth0 and that statement will *never* return any matches). In *all* Shorewall configuration files, an interface name in the SOURCE column specifies the interface on which the traffic *enters* the firewall (-i option in iptables). So the above statement says that traffic entering the firewall on tun0 and being routed out of eth0 to 10.1.1.1 should be part of class a:11. If you want to insist that the traffic matching the rule has the primary IP address of eth0 as its source, then you would code: a:11 ð0 eth0:10.1.1.1 tcp 22 See http://www.shorewall.net/configuration_file_basics.htm#Rvariables. > > Of course, when "a:11 - 10.1.1.1 tcp 22" is specified then no IP address > will be included in the iptables statement, but the use of eth0 should > really be enforced as this class make sense (i.e. likely to return > matches) only on that interface. > >> The two rules you want are: >> >> a:11 $FW eth0:10.1.1.1 tcp 22 >> b:11 $FW tun0:10.1.1.1 tcp 22 >> > I thought I wasn't allowed to do that. > > Is there any reason why shorewall moans when I specify "a:11 eth0 > 10.1.1.1 tcp 22" and I get the 2 warnings - that to me looks a perfectly > legitimate statement (and eth0 is up and running so it has a valid IP > address, not to mention that the "tun0 does not exists" message I also > get is a complete and utter joke)? The iptables/Netfilter restriction about -i in the output chain requires Shorewall to use the routing table to determine the source addresses of traffic that might enter through the specified interface. a) If there is a default route out of the interface, it is ignored since that would mean that traffic from *any* address would match. b) After 8-9 years of getting problem reports that say "My firewall won't start during boot but will later", I put in a warning about it. > > I also don't see why I should prefix source interface with destination > address and place all this in the destination column - it is quite > confusing and has nothing to do with the destination The traffic is going *out* of that interface. > quite frankly! > Specifying the source interface in the source column (and ask shorewall > to take the name of that interface rather than its IP address) seems the > more logical choice, don't you think? No -- what about forwarded traffic? > > Besides, not specifying any interface - like "a:11 $FW 10.1.1.1 tcp 22" > for example - makes sense *only* for one interface - eth0 (for tun0 that > statement will *never* return a match) And maybe someday when I'm desperately bored, I'll make such rules automatically insert the appropriate -o clause in the generated rule. , so I do not know why shorewall > can't pick that "automatically" so to speak (by "looking" at the > interface of the class for which this statement refers), or, even > better, enforce the use of that interface (eth0 in this case) as the > class defined makes sense only for that interface and no other? > > It is very similar scenario with ifbX devices as well - the class(es) in > use will only make sense (i.e. return matches) on one interface only - > that of the class' interface. Whatever -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
