The more I have thought about it, the less that I like ''local''
being an
interface option. In this Beta, ''local'' changes to being a
zone type.
1) A new interface option has been added.
destonly
Causes the compiler to omit rules to handle traffic arriving on
the interface.
2) It is now possible to use ''all+'' in the SOURCE and DEST
columns of
/etc/shorewall[6]/policy file. It has the same meaning as in the
rules file in that it can override default intra-zone ACCEPT
policies.
3) Beginning with this release, most special handling of
''Auth'' (TCP
port 113) has been removed. In particular, the Drop default action
will no longer default to silently REJECTing Auth requests but will
rather simply process them like other tcp packets.
4) Traditionally, Shorewall has treated the loopback interface
(''lo'')
as follows:
- It deals with firewall-to-firewall, firewall-to-vserver,
vserver-to-firewall, and vserver-to-vserver traffic.
- All filtering is done in the OUTPUT flow; all traffic arriving on
''lo'' is silently accepted.
- If no firewall-to-firewall policy or rules are defined, then
a simple ACCEPT rule is also included in the OUTPUT chain for
''lo'' (after any vserver-oriented jumps).
Beginning with this release, the handling of firewall-to-firewall
traffic can be altered by adding a zone of type ''local''.
- The ''local'' zone must be associated with the loopback
device in
the interfaces file.
/etc/shorewall/zones
#ZONE TYPE
local local
/etc/shorewall/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
local lo ...
When this is done, the ACCEPT jumps for ''lo'' in the
INPUT and
OUTPUT chains are omitted and replaced with jumps to the local2fw
and fw2local (local-fw and fw-local) chains respectively. This
provides a model similar to other zones for fireall-to-firewall
traffic.
When a local zone is defined, the firewall-to-firewall policy
must be ACCEPT in order to avoid superfluous rules and chains.
Definition of a local zone together with definition of vserver
zones is currently disallowed.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
On 05/20/2013 07:44 AM, Tom Eastep wrote:> The more I have thought about it, the less that I like ''local'' being an > interface option. In this Beta, ''local'' changes to being a zone type. > > 1) A new interface option has been added. > > destonly > > Causes the compiler to omit rules to handle traffic arriving on > the interface. >The attached patch allows ''destonly'' on the loopback interface to work correctly with a ''local'' zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
On 05/20/2013 08:03 AM, Tom Eastep wrote:> On 05/20/2013 07:44 AM, Tom Eastep wrote: >> The more I have thought about it, the less that I like ''local'' being an >> interface option. In this Beta, ''local'' changes to being a zone type. >> >> 1) A new interface option has been added. >> >> destonly >> >> Causes the compiler to omit rules to handle traffic arriving on >> the interface. >> > > The attached patch allows ''destonly'' on the loopback interface to work > correctly with a ''local'' zone.Please disregard this patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
On 05/20/2013 08:18 AM, Tom Eastep wrote:> On 05/20/2013 08:03 AM, Tom Eastep wrote: >> On 05/20/2013 07:44 AM, Tom Eastep wrote: >>> The more I have thought about it, the less that I like ''local'' being an >>> interface option. In this Beta, ''local'' changes to being a zone type. >>> >>> 1) A new interface option has been added. >>> >>> destonly >>> >>> Causes the compiler to omit rules to handle traffic arriving on >>> the interface. >>> >> >> The attached patch allows ''destonly'' on the loopback interface to work >> correctly with a ''local'' zone. > > Please disregard this patch.Hmmm -- head is still not quite back into work this morning. The patch *is* correct. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d