Tom The attached config. generates the following iptables rules:
(1) -A lan-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic (2) -A lan-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT (3) -A lan-fw -m conntrack --ctstate RELATED -g A_ACCEPT (4) -A lan-fw -m conntrack --ctstate INVALID -g _lan-fw (5) -A lan-fw -m conntrack --ctstate UNTRACKED -g &lan-fw (6) -A lan-fw -p 17 --dport 123 -m conntrack --ctstate INVALID -m hashlimit --hashlimit-upto 4/sec --hashlimit-burst 8 --hashlimit-name lograte -- hashlimit-mode dstip -j LOG --log-level 4 --log-prefix "Shorewall:lanfw:LOG:" (7) -A lan-fw -g all-all Shorewall rule: Invalid(LOG:warn) lan fw udp 123 produces iptables rule (6) above. As iptables rule (4) uses -g to branch to _lan-fw, when the _lan-fw chain finishes iptables will return to the INPUT chain and not lan-fw so iptables rule (6) will not be executed. I have specified INVALID_DISPOSITION=CONTINUE If any of the "PACKET DISPOSTION" parameters in shorewall.conf is set to CONTINUE, shouldn't '-j' be used instead of '-g' in the generated iptables rule? Steven.
shorewall2A21.tar.gz
Description: application/compressed-tar
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
