> 2) A 'New' standard action has been added that matches packets in the > NEW connection tracking state. Since you don't use an explicit chain for the NEW state, when I have:
rules ~~~~~ SECTION NEW New(...) ... ... The above produces extra "--cstate NEW" match which isn't necessary and should be removed as is the case with the rest of the statements in that section. The same is valid if I use something like "New(IELOG(...))" - all "--cstate NEW" matches, including to the ones in the inline action should be removed. Also, I can't see using New(...) anywhere else making much sense with the exception of may be blrules and only in case where BLACKLIST=NEW,... Another 2 issues: 1. rules ~~~~~ SECTION NEW New(dropInvalid) $FW net produces: -A fw2net -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP 2. shorewall.conf ~~~~~~~~~~~~~~ BLACKLIST="NEW,UNTRACKED" blrules ~~~~~~~ New(dropInvalid) $FW net dropInvalid $FW net produces: -A fw2net~ -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP -A fw2net~ -m conntrack --ctstate INVALID -j DROP Obviously, the "INVALID" rules should have been dropped. Lastly, one general observation: currently rules where cstate matching doesn't make sense are silently dropped by shorewall. I don't think that is correct - there should be at least a warning that the rule in question has been dropped, otherwise I would think that it has been accepted, or, that there is nothing wrong with the said rule and there is a "bug" in shorewall. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
