On Sun, Mar 30, 2008 at 03:12:51AM -0500, Jerry Vonau wrote: > Andrew Suffield wrote: > > If ip_forward is never enabled until shorewall has started, then no > > packets will ever pass through the system. You're then left with just > > local stuff on the firewall itself, which shouldn't really be an issue > > (since you shouldn't be running anything at that point). > > > > This should be the default behaviour, so I'd be looking into why that > > didn't happen. > > Well, the ip_forward flag is set after the loading of the modules, but > before the loading of the ruleset. I know, small window but it is made > worse with the limited resources that Brain has available. So using your > logic, the setting of the flag should be the last thing done to ensure > that this doesn't happen?
I cannot imagine any reason why you might want it to happen before loading the firewall rules. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
