There is another (quite annoying) issue I've discovered with 4.5.12 (maybe valid with 4.5.13 betas, don't know), which I think requires a little attention:
shorewall.conf ~~~~~~~~~~~~~~ RELATED_DISPOSITION=ACCEPT blrules ~~~~~~~ WHITELIST fw net:+whitelist <EOF> rules ~~~~~ SECTION RELATED IFLOG(accept,log,nflog1,2,mamas,DROP) $FW net SECTION NEW dropInvalid all all [...] generates these rules: -A fw2net -m conntrack --ctstate NEW,INVALID -m set --match-set whitelist dst -j RETURN -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT -A fw2net -m conntrack --ctstate RELATED -j +fw2net -A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw2net -m conntrack --ctstate INVALID -j DROP 1st rule above: even though it is the only one which exists in "blrules" for this chain (fw2net), it should not have been optimised in this way (RETURN from fw2net will prevent further traversing!). Also, why is --cstate INVALID included in that match (I do have BLACKLISTNEWONLY=Yes, but that doesn't explain the INVALID match being there)? The correct rule should have been a single "--cstate INVALID -j DROP", if anything (as shown in the last rule listed there). 2nd-to-last rule: where did that come from? I have similar rules generated for all of my other chains (net2fw, local2fw, fw2local ...). I am sorry I couldn't participate in the testing of the previous betas, but I have been quite busy and it looks as though that would be the way at least until the end of Jan. Tom Eastep wrote: > On 01/21/2013 09:08 AM, Tom Eastep wrote: > >> I've found a couple of more issues with 4.5.13 Beta 2. >> >> 1) An internal error can be raised while trying to complete a built-in >> chain like INPUT. >> >> 2) Audited RELATED_DISPOSITION (e.g., RELATED_DISPOSITION=A_ACCEPT) is >> effectively ignored. >> >> Patches attached. >> > > Here's a fix on top of the second patch above; it avoids perl > diagnostics when RELATED_DISPOSITION is 'REJECT'. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122412 > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-devel > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
