> This now works. However: > > rules > ~~~~~ > SECTION RELATED > Established(ELOG(-,fw2NeT,2)) $FW net > Established(dropInvalid) $FW net > dropInvalid $FW net > > produces: > > -A +fw2net -m conntrack --ctstate ESTABLISHED -j ELOG > -A +fw2net -m conntrack --ctstate ESTABLISHED -m conntrack --ctstate INVALID > -j DROP > -A +fw2net -m conntrack --ctstate INVALID -j DROP > > "ELOG" is not inline and is the equivalent of IELOG as indicated previously. That now also works as expected. However:
rules ~~~~~ SECTION RELATED Related(ELOG(,fw2NeT,2)) $FW net DROP $FW net udp DROP $FW net tcp produces: -A +fw2net -p 17 -j DROP -A +fw2net -p 6 -j DROP -A +fw2net -j ACCEPT In other words, the "Related" action is now "optimised" away for some reason. If I use "ELOG(,fw2NeT,2)" directly, instead of "Related(ELOG(,fw2NeT,2))" that works as expected. Please also note that I have RELATED_DISPOSITION=ACCEPT in shorewall.conf. If I had a warning of whether the "wrong" rules (in shorewall's opinion) have been ignored/optimised, I would have known whether this is ignored deliberately or whether there is something wrong with "Related" when specifying custom action as a parameter. As it stands, I can't tell as shorewall is silent. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
