Jerry Vonau wrote:
Andrew Suffield wrote:On Sun, Mar 30, 2008 at 03:12:51AM -0500, Jerry Vonau wrote:Andrew Suffield wrote:Well, the ip_forward flag is set after the loading of the modules, but before the loading of the ruleset. I know, small window but it is made worse with the limited resources that Brain has available. So using your logic, the setting of the flag should be the last thing done to ensure that this doesn't happen?If ip_forward is never enabled until shorewall has started, then no packets will ever pass through the system. You're then left with just local stuff on the firewall itself, which shouldn't really be an issue (since you shouldn't be running anything at that point).This should be the default behaviour, so I'd be looking into why that didn't happen.I cannot imagine any reason why you might want it to happen before loading the firewall rules.A quick snip: Setting up rules for DHCP... Setting up ARP filtering... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... IP Forwarding Enabled Setting up SYN Flood Protection... Setting up Rules... Should this be fixed then?
Probably. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
