> If it is subject to a net->fw rule, then certainly no local program > created it. > You know very well that is not the case here.
>> If it turns out that what you wrote in your last paragraph is right, >> then this is another issue which needs correcting in shorewall because I >> cannot see any sense whatsoever in including dropInvalid in the Drop >> chain as the packet, as you put it above, will already be accepted, >> rendering all this pretty-looking actions listed in Drop/Reject >> completely meaningless! >> >> > > It is only superfluous if there is an earlier unrestricted 'dropInvalid' > rule. The reason that dropInvalid is in the Drop default action is so it > won't be logged and I won't have to answer silly questions about it when > people see it in their logs. > Answer me this then: If there is dropInvalid rule in the NEW rules section, or even before any of the rules listed in fw2vpn and vpn2fw (and the like) chains, do you think an invalid packet will ever make it to Drop/Reject let alone to dropInvalid in Drop/Reject? If not, why is dropInvlaid needed there then, when another, more appropriate place for it would be before those chains - and you still "won't have to answer silly questions" if that were the case. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
