thr3ads.net - Shorewall users - norfc1918 --> NULL_ROUTE

If this information is useful, please help other people find it:
Share via:

Meetoo Ashvin

2012-Sep-06 11:57 UTC

norfc1918 --> NULL_ROUTE_RFC1918

Hello,

I am migrating my firewall to a new Debian server. I used to configure 
my adsl interfaces with the norfc1918 flag but it has been removed in 
the newer versions. I''ve read in the archives that the successor to 
''norfc1918'' is changing the global NULL_ROUTE_RFC1918 to Yes
in
shorewall.conf.

This is a problem for me because I don''t want this to apply to all my 
interfaces. I have specific routes defined through other internal 
interfaces and when I activate NULL_ROUTE_RFC1918=Yes in shorewall.conf 
it overrides my routes and I can no longer access them.

Is there a workaround?

Thanks.

-- 
Regards,
Ashvin MEETOO


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Laurent CARON

2012-Sep-06 12:40 UTC

head link

Re: norfc1918 --> NULL_ROUTE_RFC1918

On 06/09/2012 13:57, Meetoo Ashvin wrote:> Hello,
>
> I am migrating my firewall to a new Debian server. I used to configure
> my adsl interfaces with the norfc1918 flag but it has been removed in
> the newer versions. I''ve read in the archives that the successor
to
> ''norfc1918'' is changing the global NULL_ROUTE_RFC1918 to
Yes in
> shorewall.conf.
>
> This is a problem for me because I don''t want this to apply to all
my
> interfaces. I have specific routes defined through other internal
> interfaces and when I activate NULL_ROUTE_RFC1918=Yes in shorewall.conf
> it overrides my routes and I can no longer access them.
>
> Is there a workaround?
>
> Thanks.
>

Hi,

If you have routes that are more specific than:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

it shouldn''t matter.

Eg:
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
unreachable 192.168.0.0/16


Net: 192.168.0.0/24 remains reachable because it is more specific than 
192.168/16

Laurent

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Shorewall users - Sep 2012 - norfc1918 --> NULL_ROUTE_RFC1918

norfc1918 --> NULL_ROUTE_RFC1918

Re: norfc1918 --> NULL_ROUTE_RFC1918