On Oct 10, 2011, at 4:26 PM, Tom Eastep wrote: > > On Oct 10, 2011, at 3:36 PM, Steven Jan Springl wrote: >> >> The attached minimal config. generates the following rules if >> BLACKLISTNEWONLY=No >> >> -A fw2lan -p 6 --dport 1 -j DROP >> -A fw2lan -p 6 --dport 2 -m conntrack --ctstate ESTABLISHED -j DROP >> -A fw2lan -m conntrack --ctstate ESTABLISHED -j ACCEPT >> -A fw2lan -p 6 --dport 3 -m conntrack --ctstate RELATED -j DROP >> -A fw2lan -j dynamic >> -A fw2lan -j ACCEPT >> >> If BLACKLISTNEWONLY is changed to Yes, the following rules are generated: >> >> -A fw2lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> -A fw2lan -p 6 --dport 1 -j DROP >> -A fw2lan -p 6 --dport 2 -m conntrack --ctstate ESTABLISHED -j DROP >> -A fw2lan -p 6 --dport 3 -m conntrack --ctstate RELATED -j DROP >> -A fw2lan -m conntrack --ctstate NEW,INVALID -j dynamic >> -A fw2lan -j ACCEPT >> >> It appears that the rules in the RELATED and ESTABLISHED sections would >> never >> be executed. >> > It appears that in trying to work on two releases at the same time this > weekend, I dropped my last set of changes. I'll recover them and issue Beta 2.
Steven, The missing part was not very big so I just created a patch. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
BLACKLIST.patch
Description: Binary data
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
