Tom The attached minimal config. generates the following rules if BLACKLISTNEWONLY=No
-A fw2lan -p 6 --dport 1 -j DROP -A fw2lan -p 6 --dport 2 -m conntrack --ctstate ESTABLISHED -j DROP -A fw2lan -m conntrack --ctstate ESTABLISHED -j ACCEPT -A fw2lan -p 6 --dport 3 -m conntrack --ctstate RELATED -j DROP -A fw2lan -j dynamic -A fw2lan -j ACCEPT If BLACKLISTNEWONLY is changed to Yes, the following rules are generated: -A fw2lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw2lan -p 6 --dport 1 -j DROP -A fw2lan -p 6 --dport 2 -m conntrack --ctstate ESTABLISHED -j DROP -A fw2lan -p 6 --dport 3 -m conntrack --ctstate RELATED -j DROP -A fw2lan -m conntrack --ctstate NEW,INVALID -j dynamic -A fw2lan -j ACCEPT It appears that the rules in the RELATED and ESTABLISHED sections would never be executed. Steven.
shorewallT7.tar.gz
Description: application/tgz
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
