[Shorewall-users] Blocking local broadcasts

Simon Turvey turveysp@ntlworld.com
Tue, 30 Apr 2002 17:19:06 +0100


Thanks Tom.  That's given me the info I needed to have a rethink of my
policies and slim down my rules file.  It all seems to be working just dandy
now.

Cheers,
    Simon



----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Simon Turvey" <turveysp@ntlworld.com>
Cc: <shorewall-users@shorewall.net>
Sent: Tuesday, April 30, 2002 4:46 PM
Subject: Re: [Shorewall-users] Blocking local broadcasts


> On Tue, 30 Apr 2002, Tom Eastep wrote:
>
> > On Tue, 30 Apr 2002, Simon Turvey wrote:
> >
> > > > Shorewall adds the subnet broadcast address (if any) of each
interface.
> > >
> > > Any chance of an override option in interfaces (like we can specify
noping,
> > > routestopped, etc) that would say 'permit broadcast on this
interface'?
> > >
> >
> > Packets only traverse the 'common' chain when the policy is other than
> > ACCEPT. So if you simply put "-" in the BROADCAST column for an
interface
> > then broadcasts will be accepted if the applicable policy is ACCEPT.
> >
>
> Actually, it doesn't matter what you put in the BROADCAST column but
> omitting that column results in one less useless rule in the common chain.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>