On Sep 27, 2011, at 4:29 PM, Mr Dash Four wrote: > >> Seems to me that we are re-inventing the wheel here. Everything you want can >> already be done in the rules file. >> > Not really! blacklist/whitelist entries are usually the first and > precede anything else in a given chain - its their most valuable asset > and is the reason I'd like these new features implemented in them.
Yes -- and they come before traffic is broken out by zone. > > I know I could place a bunch of rules in the "rules" file, but they will > be useless, because: 1) the blacklist/whitelist will already have been > checked; So, only place entries that are zone-neutral in the blacklist file. > and 2) These rules will be after anything that usually gets > processed in a given chain - related/established connection rules, > dropInvalid and various other macros as well. That depends on which SECTION you put them in and what you put in front of them. Remember that, by default, ESTABLISHED,RELATED packets don't go through the blacklist at all. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
