> I've already explained why Shorewall must pass INVALID packets through > the rules chain (initial installation). In addition, some users set > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to provide > "connection pickup". If INVALID packets were dropped early, that > wouldn't work. > So, if I follow your advice and add dropInvalid in the NEW section of my rules file I will be royally screwed too, is that it?
As for whether SELinux is preventing sending of packets - the packets are indeed prevented from being sent, though they traverse through (at least) the NEW section of the rules file. Similarly, when packets are received they do appear in the corresponding section in rules, but they are never received by the process expecting these - SELinux prevents that too. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
