shorewall-devel December 2011 archive
Main Archive Page > Month Archives  > shorewall-devel archives
shorewall-devel: Re: [Shorewall-devel] Shorewall 4.4.27 RC2 (wit

Re: [Shorewall-devel] Shorewall 4.4.27 RC2 (with corrected patch)

From: Tom Eastep <teastep_at_nospam>
Date: Fri Dec 30 2011 - 15:23:59 GMT
To: shorewall-devel@lists.sourceforge.net

On Thu, 2011-12-29 at 13:18 -0800, Tom Eastep wrote:
> On Thu, 2011-12-29 at 20:12 +0000, Steven Jan Springl wrote:
> > The patch fixes the above issues.
> >
> > However, if DEST contains fw and an IP address e.g.
> >
> > 1:130:F 10.1.1.0/24 fw:1.1.1.1
> >
> > the iptables error still occurs.
> >
> > My testing indicated that specifying a source of fw is valid for :F.
> > Should Shorewall not allow this?
>
> Steven,
>
> No. Traffic that originates on the firewall does not traverse the
> FORWARD chain. The reason that it was previously working for you is that
> the compiler was silently substituting OUTPUT for FORWARD. Now it is
> generating an error.

I believe that this patch catches all cases that should not be
supported.

Thanks, Steven

-Tom
-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel