On 02/19/2018 01:57 PM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > Here's a snippet of my rules file: > > DNAT net1 loc:10.215.145.120:443 tcp 30443 > DNAT net1 loc:10.215.144.95:80 tcp 30080 > # ACCEPT net1 $FW tcp 30443,30080 > > ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3,net4:!+POL_BL,+GLOBAL_WL > all > > > I'd like ADD() to be "executed", but only if traffic has not been ACCEPT'ed > or DNAT'ed. > > The above lines "run" ADD() even when there's a match for the DNAT rules. If > I uncomment the 3rd line then ADD() is not reached, as expected. However, I'd > rather not use the 3rd line. > > How can I configure the rules file so that ADD() is not reached when a DNAT > entry like the ones above is matched? >
It's already configured that way. The Shorewall DNAT target generates both a DNAT rule in the nat table and an ACCEPT rule in the filter table. So any traffic that matches the DNAT rule will not fall through to the ADD command. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
