[Shorewall-devel] send patchs (for CROSSBEAM)
teastep at shorewall.net
Sun May 22 16:57:18 PDT 2005
Paul Gear wrote:
> Tom Eastep wrote:
>>Guys: I'll put Juan's patch in 2.4.0 and I'll let you decide if you want
>>to release it in 2.0 and 2.2.
>>I have added the CROSSBEAM patch to 2.4.0 but I'm withholding the
>>POLICY_ACCEPT_STARTING patch for now. I really don't like the idea of
>> an option that opens the firewall completely like this one does.
>>I suspect that an option in shorewall.conf that works in conjunction
>>with /etc/shorewall/routestopped would be more appropriate for both
>>the 2.2 and 2.4 series (since 2.2.3, communication *between* hosts
>>listed in routestopped is now enabled during [re]start).
> It seems to me that both of these are very similar circumstances to my
> issue a few weeks/months back about restarting shorewall on a
> high-availability firewall running heartbeat. In that case, it seems
> that a more general approach that works in conjunction with routestopped
> would be warranted. Once we get CVS converted over to sf.net, i'll do a
> bit of work on integrating them.
In -RC1, I extended the routestopped options to include 'source' and 'dest'
to indicate that all traffic from or to a host or set of hosts respectively
should be accepted. I'm not sure that my changes solve the entire problem
that Juan's customers are seeing but I think that it is in the right
direction. If folks on the list disagree, I'll back out that change in -RC2
and the new maintainers can decide how best to address this issue.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
More information about the Shorewall-devel