Re: [Shorewall-devel] proposed 3.0 change

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep wrote:

> 
> 
> I didn't follow the above. Can you show us what you are doing and why
> you believe that it requires the loopback device to be "added into your
> zone list" (I assume that means that you added it to
> /etc/shorewall/interfaces and associated it with some zone)?
> 
> 

Basically I'm routing packets to lo, though not allowing lo to receive those packets, if lo has a route to it but is not 
assigned an address within that routes netmask then it'll toss them. This method just give a little better security if 
all you need to do is redirect those packets coming through netfilter

 >
 > No. Zones are sets of hosts. The $FW zone consists of exactly one host
 > -- the host that Shorewall is running on. The firewall zone differs from
 > other zones in that there is *no* interface associated with $FW whereas
 > other zones have at least one interface.
 >

I wasn't sure if lo was loosely tied in.

> 
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    20  2454 ACCEPT     all  --  *      lo      0.0.0.0/0
> 0.0.0.0/0
> ...
> 
> So for INPUT and OUTPUT, you need no policies or rules of any kind to
> enable traffic to/from the loopback device.
> 

That would normally work except that I'm *forwarding* packets to lo so I also need a chains like this:-

Chain lo_fwd (1 references)
  pkts bytes target     prot opt in     out     source               destination
  1185 66360 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
     0     0 loc2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
     0     0 loc2loc    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  1185 66360 loc2loc    all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Dave Hawkes