On 2/9/13 10:44 AM, "Mr Dash Four" <[email protected]> wrote:
>That now also works as expected. However: > >rules >~~~~~ >SECTION RELATED >Related(ELOG(,fw2NeT,2)) $FW net >DROP $FW net udp >DROP $FW net tcp > >produces: > >-A +fw2net -p 17 -j DROP >-A +fw2net -p 6 -j DROP >-A +fw2net -j ACCEPT > >In other words, the "Related" action is now "optimised" away for some >reason. If I use "ELOG(,fw2NeT,2)" directly, instead of >"Related(ELOG(,fw2NeT,2))" that works as expected. Please also note that >I have RELATED_DISPOSITION=ACCEPT in shorewall.conf. Simple typo -- I typed "$_" when I wanted "$1". Patch attached. > > >If I had a warning of whether the "wrong" rules (in shorewall's opinion) >have been ignored/optimised, I would have known whether this is ignored >deliberately or whether there is something wrong with "Related" when >specifying custom action as a parameter. As it stands, I can't tell as >shorewall is silent. You should be seeing messages such as these when a rule is suppressed: Checking /home/teastep/shorewall/regressionLibrary/4.5.13/inline6/rules... Checking /home/teastep/shorewall/regressionLibrary/4.5.13/inline6/action.ELOG for chain ELOG... WARNING: Entry generated no iptables rules /home/teastep/shorewall/regressionLibrary/4.5.13/inline6/rules (line 22) WARNING: Entry generated no iptables rules /home/teastep/shorewall/regressionLibrary/4.5.13/inline6/rules (line 24) WARNING: Entry generated no iptables rules /home/teastep/shorewall/regressionLibrary/4.5.13/inline6/rules (line 32) Checking /usr/share/shorewall/action.TCPFlags for chain TCPFlags... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice.
TYPO.patch
Description: Binary data
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
