Hi Folks, I''m a new user to Shorewall, it came installed on the redWall firewall that I am using and I''m really happy with both projects! Thanks for all your work on it! I have a question about tcrules and $FW. I''m doing source policy routing and need to be able to add an output rule to the mangle chain with a source that is specific network, not 0.0.0.0/0. It appears that there is no way to do this, and it also appears that $FW is the only way to add an output rule in the mangle chain. Am I mistaken? cheers, Brian
Brian Topping wrote:> I have a question about tcrules and $FW. I''m doing source policy > routing and need to be able to add an output rule to the mangle chain > with a source that is specific network, not 0.0.0.0/0. It appears that > there is no way to do this, and it also appears that $FW is the only way > to add an output rule in the mangle chain. > > Am I mistaken? >No. Currently, the tcrules file only allows blanket rules in OUTPUT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hmm, ok. Do you have any suggestions? -b Tom Eastep wrote:>Brian Topping wrote: > > > >>I have a question about tcrules and $FW. I''m doing source policy >>routing and need to be able to add an output rule to the mangle chain >>with a source that is specific network, not 0.0.0.0/0. It appears that >>there is no way to do this, and it also appears that $FW is the only way >>to add an output rule in the mangle chain. >> >>Am I mistaken? >> >> >> > >No. Currently, the tcrules file only allows blanket rules in OUTPUT. > >-Tom > >
Brian Topping wrote:> Hmm, ok. Do you have any suggestions? >The Shorewall2/ CVS project has (untested) support for $FW:<host/net address> in the SOURCE column. The ''firewall'' script and the comments in the ''tcrules'' file have been updated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Brian Topping wrote: > >>Hmm, ok. Do you have any suggestions? >> > > > The Shorewall2/ CVS project has (untested) support for $FW:<host/net > address> in the SOURCE column. The ''firewall'' script and the comments in > the ''tcrules'' file have been updated. >Although I must say that I find it odd that you need this -- do you have applications running on your firewall that bind to particular public IP addresses and you wish to apply different shaping to traffic from the different addresses? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Tom Eastep wrote: > > >>Brian Topping wrote: >> >> >> >>>Hmm, ok. Do you have any suggestions? >>> >>> >>> >>The Shorewall2/ CVS project has (untested) support for $FW:<host/net >>address> in the SOURCE column. The ''firewall'' script and the comments in >>the ''tcrules'' file have been updated. >> >> >> > >Although I must say that I find it odd that you need this -- >The rainbow has every color in it, doesn''t it? :-)> do you have >applications running on your firewall that bind to particular public IP >addresses and you wish to apply different shaping to traffic from the >different addresses? > >Yes, I guess that''s one way of looking at it. I''m actually using iptables for packet marking in conjunction with policy routing. I like shorewall because things stay clean and you have some nice logic in there for stuff like smurfs and whatnot that I would not keep up to date properly. For the moment, I''ve been able to overcome the problem with /etc/shorewall/start though. thanks, -b>-Tom > >
Brian Topping wrote:> > For the moment, I''ve been able to overcome the problem with > /etc/shorewall/start though.I would appreciate it if you could test the code in CVS in your environment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I would have no problem with that, but the distro that I am using boots from CD. There''s been a few changes I''ve desired to make to the distro for other needs, but I haven''t gotten good enough with CD tools to cut a booting CD yet. Let me see what I can do though. -b Tom Eastep wrote:>Brian Topping wrote: > > >>For the moment, I''ve been able to overcome the problem with >>/etc/shorewall/start though. >> >> > >I would appreciate it if you could test the code in CVS in your environment. > >-Tom > >