X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from jeremythomerson.com (mail.jeremythomerson.com [74.117.189.150]) by mail.alpinelinux.org (Postfix) with ESMTP id ABC0EDC37AD for ; Wed, 3 Oct 2012 15:39:44 +0000 (UTC) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by jeremythomerson.com (Postfix) with ESMTP id 321441CAFA for ; Wed, 3 Oct 2012 10:46:07 -0500 (CDT) Received: by pbbrp8 with SMTP id rp8so11542043pbb.13 for ; Wed, 03 Oct 2012 08:39:42 -0700 (PDT) Received: by 10.68.242.231 with SMTP id wt7mr13779911pbc.99.1349278782616; Wed, 03 Oct 2012 08:39:42 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Reply-To: jeremy@thomersonfamily.com Received: by 10.66.221.233 with HTTP; Wed, 3 Oct 2012 08:39:22 -0700 (PDT) In-Reply-To: References: <20120926090749.4523d331@ncopa-desktop.nor.wtbts.net> <20120927101314.65e3bcf1@ncopa-desktop.nor.wtbts.net> From: Jeremy Thomerson Date: Wed, 3 Oct 2012 10:39:22 -0500 Message-ID: Subject: Re: [alpine-devel] awall - forward to/from same port To: Kaarle Ritvanen Cc: Natanael Copa , Alpine-devel Content-Type: multipart/alternative; boundary=047d7b339c838a743d04cb297236 --047d7b339c838a743d04cb297236 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Oct 3, 2012 at 2:52 AM, Kaarle Ritvanen < kaarle.ritvanen@datakunkku.fi> wrote: > On Thu, 27 Sep 2012, Natanael Copa wrote: > > On Wed, 26 Sep 2012 17:10:13 +0300 (EEST) >> Kaarle Ritvanen wrote: >> >> Well, we could add similar attribute to zone definitions or just make >>> awall always generate such rules. The downside of the latter option >>> is that those rules are likely unnecessary in most cases, causing a >>> slight penalty in performance. What do you think? >>> >> >> Always generate such rules? No, I'd prefer it be optional and default >> off. >> >> Re adding the feature to filter section vs zone definition, I suppose >> the benefit with adding it to zone definition is that it would be >> slightly easier to make scripts that ports shorewall config to awall. >> > > I added an optional 'route-back' attribute to zone definitions. Note that > this does not as such allow any traffic, but just allows the filter rule to > produce iptables rules with identical ingress and egress interfaces. > > This feature is available in version 0.2.11. > Thanks Kaarle! That worked great. I do have a question. Do you have a plan to update http://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall to show the new logging stuff? My "logdrop" and "logreject" are now deprecated, and I found on http://wiki.alpinelinux.org/wiki/Alpine_Wall_User%27s_Guidethat there is a different way of configuring this now. But that makes the first link above out of date. I'm wondering if we should consolidate that first page into the second so it's more likely to stay up-to-date. Thanks again, Jeremy Thomerson --047d7b339c838a743d04cb297236 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Wed, Oct 3, 2012 at 2:52 AM, Kaarle Ritva= nen <kaarle.ritvanen@datakunkku.fi> wrote:

On Thu, 27 Sep 2012, Natanael Copa wrote:

On Wed, 26 Sep 2012 17:10:13 +0300 (EEST)
Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> wrote:

Well, we could add similar attribute to zone definitions or just make
awall always generate such rules. The downside of the latter option
is that those rules are likely unnecessary in most cases, causing a
slight penalty in performance. What do you think?

Always generate such rules? No, I'd prefer it be optional and default off.

Re adding the feature to filter section vs zone definition, I suppose
the benefit with adding it to zone definition is that it would be
slightly easier to make scripts that ports shorewall config to awall.

I added an optional 'route-back' attribute to zone definitions. Not= e that this does not as such allow any traffic, but just allows the filter = rule to produce iptables rules with identical ingress and egress interfaces= .

This feature is available in version 0.2.11.

Thank= s Kaarle!=A0 That worked great.=A0 I do have a question.=A0 Do you have a p= lan to update http://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall to show the new = logging stuff?=A0 My "logdrop" and "logreject" are now = deprecated, and I found on http://wiki.alpinelinux.org/wiki/Alpine_Wall_User%2= 7s_Guide that there is a different way of configuring this now.=A0 But = that makes the first link above out of date.=A0 I'm wondering if we sho= uld consolidate that first page into the second so it's more likely to = stay up-to-date.

Thanks again,
Jeremy Thomerson

--047d7b339c838a743d04cb297236-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---