On Fri, 3 May 2002, Tom Eastep wrote: > > No -- the two rules you added had NO EFFECT WHATSOEVER on the outcome. >
To clarify -- since the packet and bytes counts for those two rules were zero after your second test, the rules could not have had any possible effect. One other thing -- be very careful when performing back-to-back tests using Netfilter-based firewalls. The connection-tracking entries for most protocols (TCP being the exception) live on after the connection has been terminated. If you establish a similar connection before these tracking entries have expired, the entries can be reused (this is especially true of protocols that do not make use of ports or that use the same port number for source and destination). This can lead you to believe that your latest set of rules "worked" when in fact it did not. A "shorewall restart" does not clear the tracking table (it can't because there is no way way for it to do so). There has been a lot of grumbling on the Netfilter mailing list about the lack of a means for removing connection-tracking entries. Until that grumbling results in a change though, caution is advised. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
