Hi, I''ve come across two things that (I think) aren''t the way they''r supposed to be with the DEST field. I''m using Shorewall 2.0.2f. 1. The rule DROP:ULOG:vpn loc:tap+ all doesn''t create an entry in the loc2loc chain. It works fine for all the other chains (loc2dmz, loc2net), but not loc2loc. loc2loc needs a specific rule of its own: DROP:ULOG:vpn loc:tap+ loc 2. The following rule causes ''shorewall start'' to terminate: DROP:ULOG:vpn loc:tap+ loc:tap+ Using ''shorewall debug start'' shows the command issued by shorewall: + iptables -A loc2loc --physdev-out tap+ -m physdev --physdev-in tap+ --match limit --limit 1/second --limit-burst 5 -j ULOG --ulog-prefix Shorewall:loc2loc:DROP:vpn Putting the ''-m physdev'' befor ''--physdev-out'' should fix it, I guess. Of course, these are only very minor issues. I''m using shorewall in a quite complex configuration and it''s been a tremendous help! Thanks! Regards, Michael PS: Please Cc me in a reply, since I''m not subscribed to the list.
Michael Van Damme wrote:> > 1. The rule > > DROP:ULOG:vpn loc:tap+ all > > doesn''t create an entry in the loc2loc chain. It works fine for all the > other chains (loc2dmz, loc2net), but not loc2loc. loc2loc needs a > specific rule of its own: > DROP:ULOG:vpn loc:tap+ locThat works as documented. At http://shorewall.net/Documentation.htm#Rules: Note When “all” is used as a source or destination, intra-zone traffic is not affected. In this example, if there were two DMZ interfaces then the above rule would NOT enable SMTP traffic between hosts on these interfaces. I''ve updated the rules file to make it clear there as well.> > 2. The following rule causes ''shorewall start'' to terminate: > > DROP:ULOG:vpn loc:tap+ loc:tap+ > > Using ''shorewall debug start'' shows the command issued by shorewall: > > + iptables -A loc2loc --physdev-out tap+ -m physdev --physdev-in tap+ > --match limit --limit 1/second --limit-burst 5 -j ULOG --ulog-prefix > Shorewall:loc2loc:DROP:vpn > > Putting the ''-m physdev'' befor ''--physdev-out'' should fix it, I guess.The problem here is that the "--physdev-in" part is generated before the "--physdev-out" part so it includes the "-m physdev". I''ve changed the code in CVS (Shorewall2/) such that these parts are included in the rule in the same order that they are generated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net