On 06/03/2011 04:42 AM, Mr Dash Four wrote: > >>>> I've already explained why Shorewall must pass INVALID packets through >>>> the rules chain (initial installation). In addition, some users set >>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to provide >>>> "connection pickup". If INVALID packets were dropped early, that >>>> wouldn't work. >>>> >>> So, if I follow your advice and add dropInvalid in the NEW section of my >>> rules file I will be royally screwed too, is that it? >>> >> >> Huh? >> > If I follow your advice and place dropInvalid at the start of my NEW > section in rules, then I will prevent shorewall from "passing INVALID > packets through the rules chain (initial installation)" so I will be > screwed too, in which case what you suggested earlier can't be taken as > a viable solution.
It's perfectly safe to add to a system on which Shorewall was started at boot. I run with a 'dropInvalid net all' rule on my own firewall (it's the first entry in my rules file). On Debian, at least, the default setting of /proc/sys/net/netfilter/nf_conntrack_tcp_loose is '1', so all->net INVALID state packets will create a conntrack entry which will then match incoming packets that are part of the same connection. That is the principle of 'connection pickup'. Note that stream-oriented protocols like TCP are the only ones where 'INVALID' state can occur; it cannot occur on datagram-oriented protocols like UDP. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
