On 01/22/2013 11:16 AM, Tom Eastep wrote: > On 01/22/2013 10:36 AM, Tom Eastep wrote: >> On 01/22/2013 08:13 AM, Tom Eastep wrote: >>> On 01/22/2013 05:04 AM, Mr Dash Four wrote:
>>>> -A fw2net -m conntrack --ctstate NEW,INVALID -m set --match-set >>>> whitelist dst -j RETURN >>>> -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT >>>> -A fw2net -m conntrack --ctstate RELATED -j +fw2net >>>> -A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >>>> -A fw2net -m conntrack --ctstate INVALID -j DROP >>>> 2nd-to-last rule: where did that come from? I have similar rules >>>> generated for all of my other chains (net2fw, local2fw, fw2local ...). >>> >>> Yes -- with RELATED_DISPOSITION=ACCEPT, simply accepting packets in >>> ESTABLISHED state would be enough. That is a left-over from before I >>> implemented RELATED_DISPOSITION. I'll clean that up in this release. >> >> I just took another look at this and I'm not clear where that is coming >> from in your case. From my own ruleset: >> >> -A net-fw -m conntrack --ctstate NEW,INVALID -j net-fw~ >> -A net-fw -i eth0 -j eth0_iop >> -A net-fw -i eth1 -j eth1_iop >> -A net-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT >> -A net-fw -m conntrack --ctstate RELATED -j +net-fw >> -A net-fw -p tcp --syn -j @net-all >> -A net-fw -p udp --dport 1194 -j ACCEPT >> ... > > I've reproduced the problem and will include a fix in the next Beta. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 41da158..12c8858 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -865,7 +865,7 @@ sub finish_chain_section ($$$) {
my $save_comment = push_comment;
my $relatedchain = $chainref->{name} =~ /^\+/;
- if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
+ if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) {
if ( $related_level ) {
my $relatedref;
@@ -879,7 +879,7 @@ sub finish_chain_section ($$$) {
log_rule( $related_level,
$relatedref,
$config{RELATED_DISPOSITION},
- '' );
+ '' ) if $relatedlevel;
$related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
