On 6/2/11 11:03 AM, Mr Dash Four wrote: > >> That further suggests that it is due to a packet in the invalid state. >> Another way to have corrected this would probably have been to add this >> in the NEW section of the rules file. >> >> dropInvalid net fw >> > Good suggestion, but isn't that section applicable to packets with > ctstate NEW?
No -- it is valid for cstate NEW,INVALID. This is particularly important when Shorewall is first installed; the first time it is started, all packets that are part of existing connections will be in the INVALID state since the xt_conntrack module wasn't loaded when those connections were created. > If so, I am not certain the reported packet was new as if > it was new my catch-all security marking would have caught it and > SELinux would have reported it as "unauthorised_t". I have this at the > very top of my secmark file: > > system_u:object_r:unauthorised_packet_t:s0 O:N > > So, according to this if the packet was NEW and it was invalid the > marking would have been "unauthorised". SELinux reported this as > "unlabelled" which to me indicates that the ctstate was just INVALID, > not NEW, or am I missing something? Again, there is no such thing as NEW and INVALID. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
