On 29.01.2015 17:24, Tom Eastep wrote:
> On 1/29/2015 8:20 AM, Tom Eastep wrote:
>> On 1/28/2015 12:39 AM, Gerhard Wiesinger wrote:
>>> Hello,
>>>
>>> I've set all ip addresses in /etc/hosts.
>>>
>>> But I'm unable to use
>>> SMTP(ACCEPT) myzone loc:smtp-server
>>>
>>> ERROR: Unknown Interface (smtp-server)
>>> /usr/share/shorewall/macro.SMTP (line 21)
>>> from /etc/shorewall/rules (line 157)
>>>
>>> # IP addresses work well
>>> SMTP(ACCEPT) myzone loc:192.168.99.100
>>>
>>> I know that ipsets are working well but I would like to use some rules
>>> without ipsets.
>>>
>>> On the other hand it works well with DNAT:
>>> SMTP(DNAT) myzone loc:smtp-server
>>>
>>> Any ideas how to use it?
>>> If it is not possible any plans to implement it?
>>>
>> All DNS names must be fully-qualified (e.g., my.domain.smtp-server).
>>
> Or rather smtp-server.mydomain.com.
>
> Using the unqualified name in a DNAT rule happens to work because the
> only thing that can directly follow the destination zone is an address.
> But in the case of an ACCEPT rule, it can be an interface name which is
> how the compiler is trying to interpret it.
>
OK clear now, any syntax (as an example, just a unique one) like {name}
to force address instead of would be great to have shorter rules
It also looks like that there is another heuristic implemented:
host.mydomain: NOT OK
host.mydomain.: OK
host.mysub.mydomain: OK
host.mysub.mydomain.: OK
Summary: 2 domain parts need the traling dot, 3 domain parts are
sufficient without the trailing dot.
I also found out that host.mydomain. is resolved via DNS while
host.mydomain (without the trailing dot) is resolved via /etc/hosts.
That's not good because we depend on DNS.
Only if the entry in /etc/hosts is also done with a trailing dot (e.g.
host.mydomain.) then /etc/hosts is used.
(you can verify that by just overriding a public entry in /etc/hosts)
A note in the documentation would be great (maybe there is one, but I
didn't see it).
Thnx Tom!
Ciao,
Gerhard
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
