On 9/24/2014 10:19 AM, PGNd wrote: > /stoppedrules > + ACCEPT EXT_IF $FW icmp 8 > + ACCEPT VPN_IF $FW icmp 8 > > also fails to prevent failed intfc during boot.
Those rules are allowing incoming ping. > > Clearly, I'm not understanding something here ... With ADMINISABSENTMINDED=Yes (which I recommend), all outgoing connections are allowed and their responses are allowed while in stopped state. If you have ADMINISABSENTMINDED=No, then the firewall is stateless and you must add rules for both requests and responses. Before the VPN interface can be usable, a VPN connection must be established. If the Shorewall box is the server, that means that your stopped rules must allow the incoming connection to be established. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
