On 3/2/2014 8:26 AM, Tom Eastep wrote: > On 3/1/2014 8:42 AM, matt darfeuille wrote: >> hi, >> >> I also applied the patch on shorewall 4.5.21.6 using "patch >> /usr/share/shorewall/Shorewall/Misc.pm ADMINISABSENTMINDED.patch". >> >> If I use hosts listed in the routestopped file(deprecated) the >> traffic is allowed as expected but if I use the stoppedrules file the >> connections are refused no matter what rules I put in the >> stoppedrules! >> >> In other words with the patch installed I can no longer use the >> stoppedrules file to determine which hosts should still have access >> through the firewall when it is stopped. > > I have reverted that patch and will look at this again when time permits. >
After reviewing this situation, we've come to the conclusion that use of the stoppedrules file just doesn't make a lot of sense with ADMINISABSENTMINDED=No as that option is documented. ADMINISABSENTMINDED=No makes the firewall stateless while it is in the stopped state. That isn't a problem with routestopped because the entires in that file are largely bi-directional. The stoppedrules file, on the other hand, assumes a stateful firewall where only the connections need to be allowed and subsequent packets that are part of a connection are automatically accepted. So for the next point release, I plan to automatically assume ADMINISABSENTMINDED=Yes if there are no routestopped entries and stoppedrules is non-empty (except for comments). A warning will be issued in that case. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
