Re: [Shorewall-users] Shorewall 4.4.20.2

[Tom E. <te...@sh...>]

On Sat, 2011-06-11 at 00:16 +0100, Mr Dash Four wrote:
> > 3)  The 'sfilter' interface option introduced in 4.4.20 was only
> >     applied to forwarded traffic. Now it is also applied to traffic
> >     addressed to the firewall itself.
> >   
>  From reading the (annotated version of) interfaces file what I cannot 
> understand is the "it should list those local networks that are not 
> routed out of the bridge or interface" bit. What does that mean exactly? 
> Am I supposed to list the local network this interface belongs to or 
> what? You are writing these annotated pages as if I have PhD in computer 
> networks & signalling ffs!

It is regrettable that you didn't stumble over that bit in 4.4.20.1
since, with the exception of the option name, it is identical to what
was in that release (it was incorrectly listed as "filter" in 4.4.20.1).

teastep@sami:~/shorewall/build/4.4.20$ diff -au
shorewall-4.4.20.1/configfiles/interfaces.annotated
shorewall-4.4.20.2/configfiles/interfaces.annotated 
--- shorewall-4.4.20.1/configfiles/interfaces.annotated	2011-06-06
16:12:23.000000000 -0700
+++ shorewall-4.4.20.2/configfiles/interfaces.annotated	2011-06-10
13:03:21.000000000 -0700
@@ -189,13 +189,6 @@
 #                 This option allows DHCP datagrams to enter and
 #                 leave the interface.
 #           
-#         filter=(net[,...])
-#                 Added in Shorewall 4.4.20. This option should be
-#                 used on bridges or other interfaces with the
-#                 routeback option. On these interfaces, it should
-#                 list those local networks that are not routed out
-#                 of the bridge or interface.
-#           
 #         logmartians[={0|1}]
 #                 Turn on kernel martian logging (logging of packets
 #                 with impossible source addresses. It is strongly
@@ -354,6 +347,13 @@
 #                 This option can also be enabled globally in the
 #                 shorewall.conf(5) file.
 #           
+#         sfilter=(net[,...])
+#                 Added in Shorewall 4.4.20. This option should be
+#                 used on bridges or other interfaces with the
+#                 routeback option. On these interfaces, it should
+#                 list those local networks that are not routed out
+#                 of the bridge or interface.
+#           
 #         sourceroute[={0|1}]
 #                 If this option is not specified for an interface,
 #                 then source-routed packets will not be accepted
teastep@sami:~/shorewall/build/4.4.20$ 

> 
> I also take it in 20.2 the sfilter options is now mandatory if I have 
> specified routeback, is that the case? What happens if I do not specify it?
> 

No. Please have a look at the revised text at
http://www1.shorewall.net/manpages/shorewall-interfaces.html and see if
it clearer. The 'sfilter' option is only appropriate in cases where
'routeback' is required and 'routefilter' cannot be used.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________