On 1/22/13 3:12 PM, "Tom Eastep" <[email protected]> wrote:
>On 01/22/2013 11:16 AM, Tom Eastep wrote: >> On 01/22/2013 10:36 AM, Tom Eastep wrote: >>> On 01/22/2013 08:13 AM, Tom Eastep wrote: >>>> On 01/22/2013 05:04 AM, Mr Dash Four wrote: > >>>>> -A fw2net -m conntrack --ctstate NEW,INVALID -m set --match-set >>>>> whitelist dst -j RETURN >>>>> -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT >>>>> -A fw2net -m conntrack --ctstate RELATED -j +fw2net >>>>> -A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >>>>> -A fw2net -m conntrack --ctstate INVALID -j DROP > >>>>> 2nd-to-last rule: where did that come from? I have similar rules >>>>> generated for all of my other chains (net2fw, local2fw, fw2local >>>>>...). >>>> >>>> Yes -- with RELATED_DISPOSITION=ACCEPT, simply accepting packets in >>>> ESTABLISHED state would be enough. That is a left-over from before I >>>> implemented RELATED_DISPOSITION. I'll clean that up in this release. >>> >>> I just took another look at this and I'm not clear where that is coming >>> from in your case. From my own ruleset: >>> >>> -A net-fw -m conntrack --ctstate NEW,INVALID -j net-fw~ >>> -A net-fw -i eth0 -j eth0_iop >>> -A net-fw -i eth1 -j eth1_iop >>> -A net-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT >>> -A net-fw -m conntrack --ctstate RELATED -j +net-fw >>> -A net-fw -p tcp --syn -j @net-all >>> -A net-fw -p udp --dport 1194 -j ACCEPT >>> ... >> >> I've reproduced the problem and will include a fix in the next Beta. > >Patch attached. Bad patch -- here's the replacement. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice.
RELATED3.patch
Description: Binary data
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
