On Fri, 2003-11-28 at 09:02, Tom Eastep wrote: > On Fri, 2003-11-28 at 08:54, Tom Eastep wrote: > > > > > Ray has been telling you for some time now but it's not getting through; > > you cannot simply hack in an arbitrary set of iptables commands into a > > Shorewall-configured firewall and expect them to work. You have to > > understand what Shorewall's ruleset does and you have to understand how > > adding your additional rules might affect what that ruleset does. > > > > In your particular case, you are inserting rules into the FORWARD chain > BEFORE THE SHOREWALL-GENERATED TCPMSS RULE!!!! And since your accounting > rules aren't passive (they ACCEPT the packets), the TCPMSS rule is never > being traversed. So for those IP addresses that you are accounting for, > the setting of CLAMPMSS is being effectively ignored.
What I recommend that you do is: a) Install 1.4.8 b) Use accounting rules such as these: myrulei:COUNT - - 192.168.1.10 myruleo:COUNT - 192.168.1.10 ... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
