> Yes -- that's a bug. Patch attached. > I might be able to give it a quick whirl tomorrow (it would be just for that single fix). If so, will let you know.
>> Also, why is --cstate INVALID included in that match (I do have >> BLACKLISTNEWONLY=Yes, but that doesn't explain the INVALID match being >> there)? >> > > The rationale there is that sending packets in an invalid state should > not allow someone to bypass the blacklist rules. So I would prefer to > change the description of the BLACKLISTNEWONLY option rather than the code. > More reason to implement my (previous) idea of introducing INVALID_DISPOSITION and treat it completely different from anything else. If we had that (say INVALID_DISPOSITION=A_DROP) then there will be two distinct (and very clear) rules in that chain and I won't be scratching my head wondering what the hell is going on (and I won't have to modify the core chains/use dropInvalid either). > Yes -- with RELATED_DISPOSITION=ACCEPT, simply accepting packets in > ESTABLISHED state would be enough. That is a left-over from before I > implemented RELATED_DISPOSITION. I'll clean that up in this release. > OK, thanks. > I would anticipate RC 1 being available about that time so hopefully you > can test then. > Yep, I am also hoping I will have more time to test this. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
