>> To me, when $FW is specified shorewall should then pick up the IP >> address of the interface to which the specified class belongs (eth0 in >> this case as "a:11" is defined for eth0) and when the actual device is >> specified, i.e. "a:11 eth0 10.1.1.1 tcp 22", then enforce the use of >> that interface in the iptables statement instead (it should also give an >> error if "a:11 tun0 10.1.1.1 tcp 22" is specified as the class "belongs" >> to eth0 and that statement will *never* return any matches). >> > > In *all* Shorewall configuration files, an interface name in the SOURCE > column specifies the interface on which the traffic *enters* the > firewall (-i option in iptables). > My point is that if a class is defined for a particular interface (as is "a:11" in my case for eth0) this will ever produce only one match and that is when this interface is involved, isn't that so?
> If you want to insist that the traffic matching the rule has the primary > IP address of eth0 as its source, then you would code: > > a:11 ð0 eth0:10.1.1.1 tcp 22 > > See http://www.shorewall.net/configuration_file_basics.htm#Rvariables. > Forgot about variables, but will use this in another place in my rules file. >> Specifying the source interface in the source column (and ask shorewall >> to take the name of that interface rather than its IP address) seems the >> more logical choice, don't you think? >> > > No -- what about forwarded traffic? > Ah, right, never thought of that! >> Besides, not specifying any interface - like "a:11 $FW 10.1.1.1 tcp 22" >> for example - makes sense *only* for one interface - eth0 (for tun0 that >> statement will *never* return a match) >> > > And maybe someday when I'm desperately bored, I'll make such rules > automatically insert the appropriate -o clause in the generated rule. > Well, even with your suggestion I can't still make this to work unless I *manually* rearrange the insane rule shorewall places in tcpost (see my next post). ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
