Paul Gear wrote: > Tom Eastep wrote: >> ... >> Also, 'late replies' entries are not required with TCP. >> > > Maybe i should take this one on to the users list, but i've found them > to be required in a lot of times that they shouldn't be, with both TCP > and UDP. Connection tracking seems to just lose reference to the > connection on occasion. I've never had the opportunity to track it down > in more detail than that - if anyone can point me in the right > direction, i'd be really glad to get rid of those rules.
My belief is that these have been largely due to bugs in Netfilter where valid packets are incorrectly assigned the INVALID state rather than the ESTABLISHED state. As Netfilter has gotten better, this problem has gotten a lot less burdensome. I currently only have one of these rules for TCP and it is for active mode FTP. And that one is to handle PASV commands that are split between packets rather than netfilter problems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
