> It's perfectly safe to add to a system on which Shorewall was started at > boot. I run with a 'dropInvalid net all' rule on my own firewall > (it's the first entry in my rules file). On Debian, at least, the > default setting of /proc/sys/net/netfilter/nf_conntrack_tcp_loose is > '1', so all->net INVALID state packets will create a conntrack entry > which will then match incoming packets that are part of the same > connection. That is the principle of 'connection pickup'. Note that > stream-oriented protocols like TCP are the only ones where 'INVALID' > state can occur; it cannot occur on datagram-oriented protocols like UDP. > The way I see it, this should be the very first thing done by shorewall - both for incoming as well as outgoing packets.
OK, I understand the case for it to be optional (it may not be suitable in some rare circumstances - fair enough), but the option should be there without the need for me (i.e. the end-user) to add a pair of rules in every possible xx2fw and fw2xx combination. In other words, why not add it as an option in the interfaces - if it is there (say as part of the tunX line in interfaces) insert the appropriate dropInvalid rules - in both directions - at the very top of their corresponding chains? Better still, make it as shorewall.conf option and insert just one rule - at the top of OUTPUT and/or INPUT chains and be done with it - no need for messing about with rules and permutations and ask end-users to do this and that to "fix" it. Unfortunately I am unable to properly verify your ":(N)I" patches as I discovered a serious flaw on my testing harness last night (thanks in no small part to your patch btw) and will have to spend the weekend to fix that before I get to your patches. They look good and *should* be OK as the only thing your patches change is the addition of the "INVALID" state in the chain statements, which isn't really something likely to cause any issues, but that's me thinking and I am no expert. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
