In http://www.shorewall.net/manpages/shorewall-interfaces.html : routeback If specified, indicates that Shorewall should include rules that allow traffic arriving on this interface to be routed back out that same interface. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard. Beginning with Shorewall 4.4.20, if you specify this option, then you should also specify filter; see above. There is no "filter" above. I think it means to refer to sfilter below ? sfilter=(net[,...]) Added in Shorewall 4.4.20. This option provides an anti-spoofing alternative to routefilter on interfaces where that option cannot be used, but where the routeback option is required (on a bridge, for example). On these interfaces, sfilter should list those local networks that are connected to the firewall through other interfaces. Or are we missing a section on "filter"? I''ve found that I need the routeback option on my dmz network now that I have two networks on that interface. No idea what I should add for filter/sfilter though to that line. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
On Wed, 2011-09-07 at 09:59 -0600, Orion Poplawski wrote:> In http://www.shorewall.net/manpages/shorewall-interfaces.html : > > routeback > > If specified, indicates that Shorewall should include rules that allow > traffic arriving on this interface to be routed back out that same interface. > This option is also required when you have used a wildcard in the INTERFACE > column if you want to allow traffic between the interfaces that match the > wildcard. > > Beginning with Shorewall 4.4.20, if you specify this option, then you > should also specify filter; see above. > > > There is no "filter" above. I think it means to refer to sfilter below ? > > sfilter=(net[,...]) > > Added in Shorewall 4.4.20. This option provides an anti-spoofing > alternative to routefilter on interfaces where that option cannot be used, but > where the routeback option is required (on a bridge, for example). On these > interfaces, sfilter should list those local networks that are connected to the > firewall through other interfaces. > > > Or are we missing a section on "filter"?That section should have referred to "sfilter". "filter" was the original name, but I changed it to "sfilter" during the Beta and we are still finding places that I missed.> > > I''ve found that I need the routeback option on my dmz network now that I have > two networks on that interface. No idea what I should add for filter/sfilter > though to that line. >As I corrected the above typo, I also changed the text to mention that "routefilter" on all interfaces is another acceptable workaround (for IPv4) in addition to "sfilter". -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
On 09/07/2011 12:18 PM, Tom Eastep wrote:> On Wed, 2011-09-07 at 09:59 -0600, Orion Poplawski wrote: > That section should have referred to "sfilter". "filter" was the > original name, but I changed it to "sfilter" during the Beta and we are > still finding places that I missed.Understandable. I think you also want to change the "see above" to "see below". -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/