On 1/23/13 3:55 PM, "Mr Dash Four" <[email protected]> wrote:
> > >Tom Eastep wrote: >> On 1/22/13 3:12 PM, "Tom Eastep" <[email protected]> wrote: >> >>> On 01/22/2013 11:16 AM, Tom Eastep wrote: >>>> On 01/22/2013 10:36 AM, Tom Eastep wrote: >>>>> On 01/22/2013 08:13 AM, Tom Eastep wrote: >>>>>> On 01/22/2013 05:04 AM, Mr Dash Four wrote: >>>>>>> -A fw2net -m conntrack --ctstate NEW,INVALID -m set --match-set >>>>>>> whitelist dst -j RETURN >>>>>>> -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT >>>>>>> -A fw2net -m conntrack --ctstate RELATED -j +fw2net >>>>>>> -A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >>>>>>> -A fw2net -m conntrack --ctstate INVALID -j DROP >>>>>>> 2nd-to-last rule: where did that come from? I have similar rules >>>>>>> generated for all of my other chains (net2fw, local2fw, fw2local >>>>>>> ...). >>>>>> Yes -- with RELATED_DISPOSITION=ACCEPT, simply accepting packets in >>>>>> ESTABLISHED state would be enough. That is a left-over from before I >>>>>> implemented RELATED_DISPOSITION. I'll clean that up in this >>>>>>release. >>>>> I just took another look at this and I'm not clear where that is >>>>>coming >>>>> from in your case. From my own ruleset: >>>>> >>>>> -A net-fw -m conntrack --ctstate NEW,INVALID -j net-fw~ >>>>> -A net-fw -i eth0 -j eth0_iop >>>>> -A net-fw -i eth1 -j eth1_iop >>>>> -A net-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT >>>>> -A net-fw -m conntrack --ctstate RELATED -j +net-fw >>>>> -A net-fw -p tcp --syn -j @net-all >>>>> -A net-fw -p udp --dport 1194 -j ACCEPT >>>>> ... >>>> I've reproduced the problem and will include a fix in the next Beta. >>> Patch attached. >> >> Bad patch -- here's the replacement. >I assume this patch was for the 2nd-to-last rule (which is now gone, >though I had to alter the patch a bit as the 2nd hunk was failing) and >not for the erroneous RETURN from fw2net, is that correct? That's correct. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
