On Thu, Nov 01, 2018 at 02:07:44PM +0100, Kevin Olbrich wrote:
> Hi!
>
> I have these rules in my shorewall-rules:
>
> > # Allow ping to the callserver
> > Ping(ACCEPT) all fw
> > # Allow SSH to the callserver
> > ACCEPT all fw tcp 1337
> > # Allow SIP traffic to the callserver from the internet
> > ACCEPT net fw udp 5060
> > ACCEPT net fw tcp 5060
> > ACCEPT net fw tcp 5061
>
>
> I never used SECTIONS on any shorewall setups and started to read related
> docs.
> Should I use any SECTIONS? I tried setting the above under ALL which
> allowed the access but my "net -> fw DROP" policy had precedence over
> conntracking (for example ICMP or HTTP) on aswer packages.
Follow this advice:
If you are not familiar with Netfilter to the point where you are
comfortable with the differences between the various connection tracking
states, then it is suggested that you omit the
ESTABLISHED and RELATED sections and place all of your
non-blacklisting rules in the NEW section (That's after the line that reads
SECTION NEW').
Warning
If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
ESTABLISHED and RELATED sections must be empty.
I'm not sure what responses weren't allowed by the implicity "established ->
allow" rule.
Justin
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
