From: Dave H. <da...@ca...> - 2005-09-02 19:42:06
|
Tom Eastep wrote: > > > I didn't follow the above. Can you show us what you are doing and why > you believe that it requires the loopback device to be "added into your > zone list" (I assume that means that you added it to > /etc/shorewall/interfaces and associated it with some zone)? > > Basically I'm routing packets to lo, though not allowing lo to receive those packets, if lo has a route to it but is not assigned an address within that routes netmask then it'll toss them. This method just give a little better security if all you need to do is redirect those packets coming through netfilter > > No. Zones are sets of hosts. The $FW zone consists of exactly one host > -- the host that Shorewall is running on. The firewall zone differs from > other zones in that there is *no* interface associated with $FW whereas > other zones have at least one interface. > I wasn't sure if lo was loosely tied in. > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 20 2454 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > ... > > So for INPUT and OUTPUT, you need no policies or rules of any kind to > enable traffic to/from the loopback device. > That would normally work except that I'm *forwarding* packets to lo so I also need a chains like this:- Chain lo_fwd (1 references) pkts bytes target prot opt in out source destination 1185 66360 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 loc2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 loc2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 1185 66360 loc2loc all -- * lo 0.0.0.0/0 0.0.0.0/0 Dave Hawkes |