Andrew Suffield wrote:
I do vaguely recall needing an ACCEPT! once, but I think even that was a quick hack to fix some poorly designed rules.
ACCEPT! has richer semantics than REJECT!. It also suppresses subsequent DNAT/REDIRECT (and I see that I need to update the man page to reflect that).
REJECT! is used to exempt a wildcard rule from being optimized away by OPTIMIZE=1. Example: net->dmz policy of "REJECT info" Rules: REJECT:info all all udp 1024 ACCEPT net:1.2.3.4 fwIn that case, net->fw UDP 1024 would still be allowed from 1.2.3.4 because the REJECT rule duplicates the policy of net->fw so would not be included in the net2fw chain. Changing the REJECT:info to REJECT!:info does what the rules intend.
This has always been a rather ugly wart. The intent of course is to avoid generating rules that duplicate the policy. But sometimes, that isn't appropriate. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
