On 05/18/2018 06:26 PM, ObNox wrote:
> On 17/05/2018 17:32, Tom Eastep wrote:
> 
>>> net { interface=${IF_NET} \
>>>        options="nets=(!${LAN_NET),nosmurfs,rpfilter,dhcp,dbl=src-dst" }
>>>
>>> Removing the "dbl=src-dst" part (introduced in 5.0.10) prevents the
>>> warnings from triggering.
>>
>> Thanks for the update -- I'll take a look.
> 
> To stay on this topic : Given the fact that we now have
> DYNAMIC_BLACKLIST and "options" field in "interfaces" to handle the
> "src-dst" dynamic blacklisting, what would be the best/correct way to
> use "src-dst" setting ? In DYNAMIC_BLACKLIST or "options" (in
> "interfaces") or both?
> 
> What are the pros/cons of each method?
> 

The default setting for all interfaces is determined by the setting in
DYNAMIC_BLACKLIST. That default may be overridden on an individual
interface using dbl= in the interface's OPTIONS.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to