On 1/29/2015 11:48 AM, Gerhard Wiesinger wrote:
> On 29.01.2015 17:24, Tom Eastep wrote:
>> On 1/29/2015 8:20 AM, Tom Eastep wrote:
>>> On 1/28/2015 12:39 AM, Gerhard Wiesinger wrote:
>>>> Hello,
>>>>
>>>> I've set all ip addresses in /etc/hosts.
>>>>
>>>> But I'm unable to use
>>>> SMTP(ACCEPT) myzone loc:smtp-server
>>>>
>>>> ERROR: Unknown Interface (smtp-server)
>>>> /usr/share/shorewall/macro.SMTP (line 21)
>>>> from /etc/shorewall/rules (line 157)
>>>>
>>>> # IP addresses work well
>>>> SMTP(ACCEPT) myzone loc:192.168.99.100
>>>>
>>>> I know that ipsets are working well but I would like to use some rules
>>>> without ipsets.
>>>>
>>>> On the other hand it works well with DNAT:
>>>> SMTP(DNAT) myzone loc:smtp-server
>>>>
>>>> Any ideas how to use it?
>>>> If it is not possible any plans to implement it?
>>>>
>>> All DNS names must be fully-qualified (e.g., my.domain.smtp-server).
>>>
>> Or rather smtp-server.mydomain.com.
>>
>> Using the unqualified name in a DNAT rule happens to work because the
>> only thing that can directly follow the destination zone is an address.
>> But in the case of an ACCEPT rule, it can be an interface name which is
>> how the compiler is trying to interpret it.
>>
>
> OK clear now, any syntax (as an example, just a unique one) like {name}
> to force address instead of would be great to have shorter rules
>
> It also looks like that there is another heuristic implemented:
> host.mydomain: NOT OK
> host.mydomain.: OK
> host.mysub.mydomain: OK
> host.mysub.mydomain.: OK
>
> Summary: 2 domain parts need the traling dot, 3 domain parts are
> sufficient without the trailing dot.
>
> I also found out that host.mydomain. is resolved via DNS while
> host.mydomain (without the trailing dot) is resolved via /etc/hosts.
> That's not good because we depend on DNS.
> Only if the entry in /etc/hosts is also done with a trailing dot (e.g.
> host.mydomain.) then /etc/hosts is used.
> (you can verify that by just overriding a public entry in /etc/hosts)
>
> A note in the documentation would be great (maybe there is one, but I
> didn't see it).
> From http://www.shorewall.org/configuration_file_basics.htm#dnsnames: Each DNS name must be fully qualified and include a minimum of two periods (although one may be trailing). This restriction is imposed by Shorewall to insure backward compatibility with existing configuration files. Example 4. Valid DNS Names mail.shorewall.net shorewall.net. (note the trailing period). Example 5. Invalid DNS Names mail (not fully qualified) shorewall.net (only one period) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
