Paolo Andretta <[email protected]> wrote: > DNS(ACCEPT) dmz:192.168.110.0/24 all > DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp > > Where 8.8.8.8 and 208.67.222.222 are the DNS in /etc/resolv.conf
You have redundant information in there. Since you have an accept rule for the DNS traffic, you don't need to exclude that from the following drop, hence you can just do : DNS(ACCEPT) dmz:192.168.110.0/24 all DROP dmz:192.168.110.0/24 net udp Also, if (as would normally be the case) 192.168.110.0/24 is the whole DMZ zone then you can remove that part - so you are now down to : DNS(ACCEPT) dmz all DROP dmz net udp Depending on your traffic profile and hardware capability, that could be a significant decrease in CPU loading for the same result. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
