shorewall-users June 2011 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Shorewall 4.4.20.2

Re: [Shorewall-users] Shorewall 4.4.20.2

From: Tom Eastep <teastep_at_nospam>
Date: Sat Jun 11 2011 - 13:24:01 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Sat, 2011-06-11 at 00:16 +0100, Mr Dash Four wrote:
> > 3) The 'sfilter' interface option introduced in 4.4.20 was only
> > applied to forwarded traffic. Now it is also applied to traffic
> > addressed to the firewall itself.
> >
> From reading the (annotated version of) interfaces file what I cannot
> understand is the "it should list those local networks that are not
> routed out of the bridge or interface" bit. What does that mean exactly?
> Am I supposed to list the local network this interface belongs to or
> what? You are writing these annotated pages as if I have PhD in computer
> networks & signalling ffs!

It is regrettable that you didn't stumble over that bit in 4.4.20.1
since, with the exception of the option name, it is identical to what
was in that release (it was incorrectly listed as "filter" in 4.4.20.1).

teastep@sami:~/shorewall/build/4.4.20$ diff -au
shorewall-4.4.20.1/configfiles/interfaces.annotated
shorewall-4.4.20.2/configfiles/interfaces.annotated
--- shorewall-4.4.20.1/configfiles/interfaces.annotated 2011-06-06
16:12:23.000000000 -0700
+++ shorewall-4.4.20.2/configfiles/interfaces.annotated 2011-06-10
13:03:21.000000000 -0700
@@ -189,13 +189,6 @@
 # This option allows DHCP datagrams to enter and
 # leave the interface.
 #
-# filter=(net[,...])
-# Added in Shorewall 4.4.20. This option should be
-# used on bridges or other interfaces with the
-# routeback option. On these interfaces, it should
-# list those local networks that are not routed out
-# of the bridge or interface.
-#
 # logmartians[={0|1}]
 # Turn on kernel martian logging (logging of packets
 # with impossible source addresses. It is strongly
@@ -354,6 +347,13 @@
 # This option can also be enabled globally in the
 # shorewall.conf(5) file.
 #
+# sfilter=(net[,...])
+# Added in Shorewall 4.4.20. This option should be
+# used on bridges or other interfaces with the
+# routeback option. On these interfaces, it should
+# list those local networks that are not routed out
+# of the bridge or interface.
+#
 # sourceroute[={0|1}]
 # If this option is not specified for an interface,
 # then source-routed packets will not be accepted
teastep@sami:~/shorewall/build/4.4.20$

>
> I also take it in 20.2 the sfilter options is now mandatory if I have
> specified routeback, is that the case? What happens if I do not specify it?
>

No. Please have a look at the revised text at
http://www1.shorewall.net/manpages/shorewall-interfaces.html and see if
it clearer. The 'sfilter' option is only appropriate in cases where
'routeback' is required and 'routefilter' cannot be used.

-Tom

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users