On 06/02/2011 11:40 AM, Mr Dash Four wrote: > >> Again, there is no such thing as NEW and INVALID. >> > So, it makes more sense then to have just INVALID in the secmarking > sub-column because I do not wish to involve the NEW state at all - all I > am interested in is the INVALID state! > > Also, what happens to the SAVE statement - is a change needed there as > well, to incorporate the marking saved for the INVALID state given prior > to it?
The more I think about it, the more I favor inserting the dropInvalid rule in your rules file. If you do that, it is a moot point which security context INVALID packets have since they won't be accepted. The way your ruleset is right now, you are ACCEPTing such packets; that creates new conntrack entries which will take some time to time out and be deleted. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
