>>but that only works if the optimize flag is set (else we do not have that
>>rule)?
I wanted to say something like:
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
INVALID,NEW -j PVEFW-smurfs") if $hostfw_options->{nosmurfs};
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-p tcp -j PVEFW-tcpflags")
if $hostfw_options->{tcpflags};
if($hostfw_options->{optimize}){
my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" :
"ACCEPT";
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
RELATED,ESTABLISHED -j $accept");
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
INVALID -j DROP");
}
----- Mail original -----
De: "Dietmar Maurer" <[email protected]>
À: "Alexandre DERUMIER" <[email protected]>
Cc: [email protected]
Envoyé: Vendredi 18 Avril 2014 10:30:28
Objet: RE: firewall option nosmurfs and tcpflags
> just put the rule in PVEFW-FORWARD, after
>
> -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW-
> FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
