On Sun, 26 Feb 2012 14:33:16 -0800, Tom Eastep <[email protected]> wrote : > On Feb 26, 2012, at 2:09 PM, jonetsu wrote: > > > For a same configuration in which the default policy is drop and > > only one connection is accepted in rules, continuous pinging to > > devices will stop squarely in 4.0.15 as soon as a very basic > > firewall is enabled whereas in 4.4.26.1, pinging will still > > continue after the firewall is enabled. > > > > All tests are done with proper reboot of the unit3 where the > > firewall is applied: > > > > unit1 <---> eth4 unit3 eth1 <---> unit2 > > 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 > > lan zone net zone > > > > In this case, continuous pings from unit1 to unit2 will stop when > > the 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 > > (easily made since unit3 is booting from a different compact flash) > > and copying the files from 4.0.15 to it, and executing 'shorewall > > start' will not stop the pings from unit1 to unit2 even though the > > policy is DROP. > > > > Other traffic is effectively stopped, but not so with icmp packets. > > > > I've looked at the changelog an release notes for 4.4.26.1 but did > > not find anything about this. > > > > firewall is very basic, and shorewall.conf is the same: > > > > zones > > fw firewall > > net ipv4 > > lan ipv4 > > > > interfaces > > net eth1 > > lan eth4 > > > > policy > > all all DROP > > > > rules > > (none) > > > > Using the same shorewall.conf might not be appropriate so I also > > tried with the shorewall.conf provided in the 4.4.26.1 version, > > while keeping the same zones, interfaces and policy files. > > > Output of 'shorewall dump' as an attachment, please.
Hmmm.. Not sure if the other one got to you, so here it is. Sorry for any duplicate. Here is the dump. It was done in the following way: - unit3: reboot w/o any iptable commands applied - start continuous pings from unit1 - unit3: shorewall start - (continuous pingings still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2 = pinging target unit eth1 <--> fe-4-2 unit3 fe-3-1 <--> fe-3-1 eth2 In a parallel iptables-only test it is possible to immediately stop the pingings when iptables rules are applied by flushing the whole thing before applying any new rules. Thanks !
shorewall.dump.bz2
Description: application/bzip
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
