> That further suggests that it is due to a packet in the invalid state. > Another way to have corrected this would probably have been to add this > in the NEW section of the rules file. > > dropInvalid net fw > Good suggestion, but isn't that section applicable to packets with ctstate NEW? If so, I am not certain the reported packet was new as if it was new my catch-all security marking would have caught it and SELinux would have reported it as "unauthorised_t". I have this at the very top of my secmark file:
system_u:object_r:unauthorised_packet_t:s0 O:N So, according to this if the packet was NEW and it was invalid the marking would have been "unauthorised". SELinux reported this as "unlabelled" which to me indicates that the ctstate was just INVALID, not NEW, or am I missing something? ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
