Dear Tom, Thanks for answer.
Tom Eastep wrote: >>I suspect changed behavior of new kernel or new Shorewall. > > There is no way that I know of that Shorewall could make this happen. > Have you compared the output of 'shorewall show nat' on the two > different versions? Good idea. I should compare this. I made shorewall dump tonight (new) and now (old). NAT tables are identical with accuracy to counters. I compared now side by side all compiled tables in dumps. I don't see important differences. In filter INPUT 4.4.4.2 eth2_in and eth3_in are called earlier and at end rest is Reject'ed instead of Drop'ped and reject'ed instead of DROP'ped (as in 4.2.6). In FORWARD and OUTPUT ISP interfaces chains are called earlier. Tunnel acceptances in net2fw are shifted too. But rest is identical. Interfaces configurations, especially ISPs, are the same. So problem is rather not in Shorewall but in netfilter, netfilter patches or kernel with patches (iproute2?). Maybe grsec? I will check it. Thanks for help Regards Andrzej Odyniec ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
