On 6/2/11 3:01 PM, Mr Dash Four wrote: > >> If it is subject to a net->fw rule, then certainly no local program >> created it. >> > You know very well that is not the case here.
Your statement about local programs was directly under a paragraph where I described net->fw INVALID packets, so I assumed that your comments were addressing that scenario. > >>> If it turns out that what you wrote in your last paragraph is right, >>> then this is another issue which needs correcting in shorewall because I >>> cannot see any sense whatsoever in including dropInvalid in the Drop >>> chain as the packet, as you put it above, will already be accepted, >>> rendering all this pretty-looking actions listed in Drop/Reject >>> completely meaningless! >>> >>> >> >> It is only superfluous if there is an earlier unrestricted 'dropInvalid' >> rule. The reason that dropInvalid is in the Drop default action is so it >> won't be logged and I won't have to answer silly questions about it when >> people see it in their logs. >> > Answer me this then: If there is dropInvalid rule in the NEW rules > section, or even before any of the rules listed in fw2vpn and vpn2fw > (and the like) chains, do you think an invalid packet will ever make it > to Drop/Reject let alone to dropInvalid in Drop/Reject? If not, why is > dropInvlaid needed there then, when another, more appropriate place for > it would be before those chains - and you still "won't have to answer > silly questions" if that were the case. > I've already explained why Shorewall must pass INVALID packets through the rules chain (initial installation). In addition, some users set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to provide "connection pickup". If INVALID packets were dropped early, that wouldn't work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
