>>> I've already explained why Shorewall must pass INVALID packets through >>> the rules chain (initial installation). In addition, some users set >>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to provide >>> "connection pickup". If INVALID packets were dropped early, that >>> wouldn't work. >>> >>> >> So, if I follow your advice and add dropInvalid in the NEW section of my >> rules file I will be royally screwed too, is that it? >> > > Huh? > If I follow your advice and place dropInvalid at the start of my NEW section in rules, then I will prevent shorewall from "passing INVALID packets through the rules chain (initial installation)" so I will be screwed too, in which case what you suggested earlier can't be taken as a viable solution.
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
