From: Tom E. <te...@sh...> - 2005-09-15 15:07:41
|
On Thursday 15 September 2005 07:57, Dir...@in... wrote: > Hello, > > According to the docs ADMINISABSENTMINDED=3DYes in > /etc/shorewall/shorewall.conf > should allow output traffic (in combination with the routestopped > feature), while restarting shorewall. > > But the code at /usr/share/shorewall/firewall line 1441 (function > process_routestopped) > [ -z "$ADMINISABSENTMINDED" ] && <some iptables call> > will only execute, if $ADMINISABSENTMINDED is not set at all. > > I don't think thats intented. Yes -- it is intended. You are reading from the process_routestopped() function which is called=20 during "shorewall stop" at line 1527 in function stop_firewall(). The code= =20 that gets executed at line 1442 if ADMINISABSENTMINDED isn't set allows=20 OUTPUT traffic to the hosts described in the record being processed. But back at line 1514 in stop_firewall(), if $ADMINISABSENTMINDED is non-nu= ll,=20 we have: setpolicy OUTPUT ACCEPT So it would be superfluous to add OUTPUT ACCEPT rules in=20 process_routestopped() since the policy for OUTPUT has already been set to= =20 ACCEPT. =2DTom=20 =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |