Re: [Shorewall-users] Allowing ping from many IP's

[Tom Eastep]

On 8/18/12 6:48 PM, Tom Eastep wrote:

> While you were doing this, I was installing Foobar Linux 6.3; like
> Centos, Foobar is a RHEL derivative. Foobar 6.3 shows the same result. I
> think that the best patch is to substitute:
> 
>       $g_tool -F
> 
> for the existing '$g_tool -D' commands.
> 
> Patch against the current 4.5.7 branch attached (should apply with
> offset to you configuration).
> 
> This iptables/Netfilter bug is fixed in Fedora 17, so the fix should
> make it into RHEL and CentOS/Foobar eventually.

This is the correct patch -- the last one cleared the running firewall :-/

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 5412ba5..1cd8438 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2235,10 +2235,10 @@ determine_capabilities() {
 
            if [ -n "$have_ipset" ]; then
                if qt $g_tool -A $chain -m set --match-set $chain src -j 
ACCEPT; then
-                   qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+                   qt $g_tool -F $chain
                    IPSET_MATCH=Yes
                elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; 
then
-                   qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+                   qt $g_tool -F $chain
                    IPSET_MATCH=Yes
                    OLD_IPSET_MATCH=Yes
                fi
@@ -2247,10 +2247,10 @@ determine_capabilities() {
        elif qt ipset -N $chain hash:ip family inet6; then
            IPSET_V5=Yes
            if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; 
then
-               qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+               qt $g_tool -F $chain
                IPSET_MATCH=Yes
            elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-               qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+               qt $g_tool -F $chain
                IPSET_MATCH=Yes
                OLD_IPSET_MATCH=Yes
            fi

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users