Allow marking networks as "local"
|Reported by:||Matthijs Kooijman||Owned by:||Victor Julien|
I have a setup with a
dummy0 interface, which holds a bunch of addresses (for virtual servers). I can define this network in vuurmuur, and give my firewall an interface on it, but then it does not know that the network really only exists on the firewall itself. This causes vuurmuur to generate
FORWARD rules, where I would really want
For example, in the zone
internal, I have the following network
ACTIVE="Yes" NETWORK="10.42.0.0" NETMASK="255.255.255.0" INTERFACE="vservers-nic"
vservers-nic interface is defined as:
ACTIVE="Yes" IPADDRESS="10.42.0.1" INTERFACE="" VIRTUAL="No" DEVICE="dummy0"
Now, I define a rule to allow the vservers to access the internet (ignoring the fact that we would also need NAT):
Accept service any from vservers.internal to world.inet
This makes vuurmuur generate the following rule:
/sbin/iptables -t filter -A FORWARD -i dummy0 -o eth0 -s \ 10.42.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -m state \ --state NEW -j NEWACCEPT
Which never triggers, since these packets are locally generated and thus never go through the
I would like the above the rule to result in some rule in the
OUTPUT chain, like:
/sbin/iptables -t filter -A OUTPUT -o eth0 -s 10.42.0.0/255.255.255.0 \ -d 0.0.0.0/0.0.0.0 -m state --state NEW -j NEWACCEPT
I can achieve something like this rule by using
from firewall(any), but then the source address check is not there, meaning I cannot differentiate between traffic from the host and the different virtual servers.
A possible solution I can see here is marking networks as "local", meaning that any rules generated from them should be
OUTPUT. A local network would then have a status similar to the special