On Feb 26, 2012, at 2:09 PM, jonetsu wrote: > For a same configuration in which the default policy is drop and only > one connection is accepted in rules, continuous pinging to devices > will stop squarely in 4.0.15 as soon as a very basic firewall is > enabled whereas in 4.4.26.1, pinging will still continue after the > firewall is enabled. > > All tests are done with proper reboot of the unit3 where the firewall > is applied: > > unit1 <---> eth4 unit3 eth1 <---> unit2 > 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 > lan zone net zone > > In this case, continuous pings from unit1 to unit2 will stop when the > 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 (easily > made since unit3 is booting from a different compact flash) and > copying the files from 4.0.15 to it, and executing 'shorewall start' > will not stop the pings from unit1 to unit2 even though the policy is > DROP. > > Other traffic is effectively stopped, but not so with icmp packets. > > I've looked at the changelog an release notes for 4.4.26.1 but did not > find anything about this. > > firewall is very basic, and shorewall.conf is the same: > > zones > fw firewall > net ipv4 > lan ipv4 > > interfaces > net eth1 > lan eth4 > > policy > all all DROP > > rules > (none) > > Using the same shorewall.conf might not be appropriate so I also tried > with the shorewall.conf provided in the 4.4.26.1 version, while > keeping the same zones, interfaces and policy files.
Output of 'shorewall dump' as an attachment, please. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
