Brian J. Murrell wrote:
On Sat, 2008-03-29 at 22:39 -0700, Tom Eastep wrote:Sure -- same solution that has always been available. Start Shorewall before you start networking.Yes, but...Of course you can't use any of Shorewall's features that rely on detecting the current network configuration...Right. I was thinking/hoping for a solution that was more elegant. Such as I suggested perhaps... preventing packets from hitting the conntrack state engine before the nat rules were set up. Is it technically impossible to do that with iptables? I've never really played much with module loading order and dependencies of iptables.
As long as you bring up networking before Shorewall, there is not a thing that Shorewall can do to solve this problem. So you get to solve this one yourself.
Check out the 'raw' table and the NOTRACK target; you might be able to avoid tracking any traffic until the Shorewall-generated script runs if you configure appropriate NOTRACK rules before bringing up networking.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
