On 5/8/11 7:08 PM, Mr Dash Four wrote: > >>> If I "register" this interface in the interfaces file, but place a dash >>> (-) and "ignore" in the options column would that work? >>> >>> >> >> It would make your tcrules compile cleanly. > So "- tun0 ignore" it is then (btw the "ignore" option isn't documented > anywhere in shorewall-interfaces). > > One other issue I have been thinking lately - in some circumstances > shorewall requires the interface to be "present" (or even up) - why is > this and what happens if the interface suddenly "disappears" (like if I > am to completely close the tun0 device)?
It depends on whether you have Shorewall-init installed. Since you aren't beating on me about it's shortcomings, I assume that you have not installed that package. > > If I want to "cheat" (as I often do!) I could artificially "open" tun0, > start shorewall and then close that device. What would happen then (if > anything)? Nothing, unless you are running Shorewall-init. > >> But you must have extremely >> liberal policies if traffic in and out of such an interface is accepted >> by the filtering part of Netfilter. >> > tun0 on one of my machines will only serve traffic internally coming > from one of my subnets, so I am not overly worried about "intrusions". *All* traffic passing to/from/through the Shorewall box is subject to Shorewall policies/rules. So traffic involving tun0 is subject to one of the following policies: all->fw : Traffic destined to the Shorewall box. fw->all : Traffic originating from the Shorewall box with a destination outside that box. all->all : If neither of the above policies apply. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
