On 6/2/11 12:38 PM, Mr Dash Four wrote: > >> I'm betting that the AVC is only issued at the socket level (incoming >> and outgoing). So DROPped packets would not trigger it. >> > I will have the opportunity to try this and will find one way or > another, but consider this: I currently have Drop in my fw2vpn chain. > There is dropInvalid in it (albeit not audited, though if I knew what I > will discover I might as well triggered it - hindsight is 20-20 as they > say, eh?). The packet to which this AVC relates would have been dropped, > but AVC was issued instead. Why?
If you are going to the trouble to assign a security context to these packets, then surely you are also ACCEPTing them in the rules file. So the Drop default action is not involved. > >> At any rate, here's a patch that implements ':I'. >> > Thanks. How do I treat my existing SAVE and RESTORE statements: should I > include the invalid state as well do you think (I think I should, but > then again, I am not an expert)? > If the state is INVALID, there is usually nothing to restore. And if you use dropInvalid, then there is nothing to save. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
