[Shorewall-devel] send patchs (for CROSSBEAM)

Tom Eastep teastep at shorewall.net
Sun May 22 16:57:18 PDT 2005


Paul Gear wrote:
> Tom Eastep wrote:
>>...
>>Thanks, Juan
>>
>>Guys: I'll put Juan's patch in 2.4.0 and I'll let you decide if you want
>>to release it in 2.0 and 2.2.
>>...
>>I have added the CROSSBEAM patch to 2.4.0 but I'm withholding the 
>>POLICY_ACCEPT_STARTING patch for now. I really don't like the idea of
>> an option that opens the firewall completely like this one does.
>>
>>I suspect that an option in shorewall.conf that works in conjunction 
>>with /etc/shorewall/routestopped would be more appropriate for both 
>>the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts 
>>listed in routestopped is now enabled during [re]start).
> 
> It seems to me that both of these are very similar circumstances to my
> issue a few weeks/months back about restarting shorewall on a
> high-availability firewall running heartbeat.  In that case, it seems
> that a more general approach that works in conjunction with routestopped
> would be warranted.  Once we get CVS converted over to sf.net, i'll do a
> bit of work on integrating them.
> 

In -RC1, I extended the routestopped options to include 'source' and 'dest'
to indicate that all traffic from or to a host or set of hosts respectively
should be accepted. I'm not sure that my changes solve the entire problem
that Juan's customers are seeing but I think that it is in the right
direction. If folks on the list disagree, I'll back out that change in -RC2
and the new maintainers can decide how best to address this issue.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


More information about the Shorewall-devel mailing list