Hi
> Do you block forwarded DHCP traffic?
Well, that's my conundrum. I have rules saying "any any 58", but those
aren't obviously limiting things. I *was* also using the DHCPfwd(ALLOW)
action, but further down in my ruleset. I have since removed that while
I experiment, getting confused on whether I tested this config..
More broadly I'm getting myself confused on where/how shorewall should
generate certain rules so that I can check the iptables output rather
than just measure the end result. I will come back to this later
In the meantime I have limited PPP demand dial with this:
pass-filter 'not port 68 and not(icmp[0]==3 && icmp[1]==3)'
The icmp port unreachable is the main thing for me. Basically my
default zone rules "REJECT" the stray packet to port 68, which in turn
generates the icmp port unreachable, which then triggers the demand
dial. The above is an example of how tcpdump syntax to filter just
certain icmp packets (mentioning this for the benefit of google, not you...)
>> Any thoughts on why my stack tries to forward this one packet (addressed
>> to the new eth0 ip)?
> Again, sounds like the local routing table hasn't yet been updated.
I will look into this further in the future. Many thanks for confirming
the basic problem
Ed W
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
