> Patch attached. The new suffixes are:
>
> :U (UNTRACKED)
> :NU (NEW,UNTRACKED)
> :NIU (NEW,INVALID,UNTRACKED)
The patch does its job to perfection.
> Patch attached. Adds a DROP action to the format-2 conntrack file.
That, in general, does not work:
I am not sure what I am supposed to put in the SOURCE/DESTINATION columns as a
"zone" when in reality I don't care which "zone" this is in (and I don't think
"all" is appropriate). For example, if I want to emulate "-t raw -I PREROUTING
1 -m set --match-set baddies-set src -j DROP" as well as "-t raw -I OUTPUT 1 -m
set --match-set baddies-set dst -j DROP" I tried the following:
1.
DROP +baddies-set
DROP - +baddies-set
Doesn't work - it is asking me for a zone to put in...
2.
DROP $FW:+baddies-set
DROP - $FW:+baddies-set
Moans about unknown zone ("-")...
3.
DROP $FW:+baddies-set
DROP all $FW:+baddies-set
I am getting "ERROR: Unknown Interface (fw)" error...
Further on this - a few suggestions to extend this file's functionality:
1. I am not sure whether I could use custom action in this file, but it would
be very handy if I could. Why? Because if I wish to use such action for
creating packet logs to multiple (understand 3) destinations for example, then
instead of having 3 separate LOG/NFLOG statements *and* their associate
conditionals, I could just have one conditional + custom action, which should,
in theory, be translated to a single jump to the corresponding custom-action
chain where the multiple packet logs take place.
2. If possible, could you include a SWITCH column (similar to what you already
have in "rules") so that this particular rule is switched on/off if/when
desired.
Finally, a side issue I've been having, which up until now was a bit of a
mystery to me - until I had a proper look at my (default) conntrack file, that
is: every time shorewall starts, I get a group of rather annoying syslog
messages like so:
xt_CT: No such helper "sane"
xt_CT: No such helper "sane-0"
xt_CT: No such helper "tftp"
xt_CT: No such helper "tftp-0"
xt_CT: No such helper "pptp"
xt_CT: No such helper "sip"
xt_CT: No such helper "sip-0"
xt_CT: No such helper "snmp"
xt_CT: No such helper "netbios-ns"
xt_CT: No such helper "ftp"
xt_CT: No such helper "ftp-0"
xt_CT: No such helper "irc"
xt_CT: No such helper "irc-0"
xt_CT: No such helper "amanda"
I knew these may have resulted from the fact that I have intentionally disabled
(and forcibly removed!) all conntrack kernel helper modules. Until I had a look
at the conntrack file, I thought that they were caused by shorewall trying to
load the ct kernel helper modules, but after seeing all those conditionals in
"conntrack" I am not so sure. Is there any way I could get rid of these
messages? Am I doing something wrong?
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
