> I don't think it is necessary to add those in the FORWARD. There is the > "accept any any RELATED, ESTABLISHED" line in there, we should be OK > with it... Even for UDP. I think iptables is able to keep track of the > UDP src/dst ip/port and recognized a response.
It's necessary on my box. I'll show you the next time you're on. I bet that you're looking at a line included by %%filter_forward_inline%%. That's only present with inline enforcement, not vlan. As shipped by RedHat, the default is: :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT ...so FORWARD uses the same rules as INPUT. But on my RHEL6 box running PF 3.2, conf/iptables.conf does: :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] %%filter_forward_inline%% FORWARD doesn't incorporate INPUT. As it shouldn't, because you probably don't want the captive portal port to be forwardable off-host. ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
