On 22/07/2019 17:18, Tom Eastep wrote:
DNAT always occurs before the blacklisting. Blacklisting takes place in
the nat table while blacklisting occurs in the filter table. Since the
nat table is traversed prior to the filter table (see
http://www.shorewall.org/NetfilterOverview.html), NAT necessarily occurs
first.
I always wondered why blacklisting isn't done in the "mangle" table.
As the "mangle" table is the very first table to see the incoming
packets, it seems to be the best place to kill any unwanted traffic right?
https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/img9/iptables.gif
Back in the day when I was handcrafting my very own firewall script, I
always used the "mangle" table to blacklist any foe and I never faced
any special issue.
Is there something I don't see that Shorewall does and makes it require
the use of the "filter" table for the blacklist functionality?
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
