> So having any additional controls doesn't seem to buy anything and it > costs my time. > I've slightly modified b) and added "dropInvalid(audit) all all" instead - it seems to work, though I also had to remove the (now redundant) dropInvalid in action.Drop and action.Reject (no point in them being there now). It works OK so far.
>> Unfortunately I am unable to properly verify your ":(N)I" patches as I >> discovered a serious flaw on my testing harness last night (thanks in no >> small part to your patch btw) and will have to spend the weekend to fix >> that before I get to your patches. They look good and *should* be OK as >> the only thing your patches change is the addition of the "INVALID" >> state in the chain statements, which isn't really something likely to >> cause any issues, but that's me thinking and I am no expert. >> > > It should be pretty foolproof. > Yep, it works - I've designed a small program to force generating "invalid" packets and send them over the wire - the firewall and the audit daemon catches them now. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
