On 3/25/2014 10:46 AM, Hervé Werner wrote: > Hello. > > I discovered something wrong in comments generated by the rules file : > I had an issue with a software triggering INVALID packets (gnome-shell > weather extension), didn't manage to figure out why, so I just > configured Shorewall to DROP them all by adding lines in the INVALID > section of the rules file and it worked as expected : > > ?COMMENT Drop invalid packets generated by weather applet > Invalid(DROP) $FW net:98.137.200.255 tcp > Invalid(DROP) net:98.137.200.255 $FW tcp > ?COMMENT > > But the comment is binded to the rule matching all INVALID packets : > > $ sudo shorewall show | grep applet > 51 2652 _fw-net all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID /* Drop invalid packets generated by weather > applet */ > 0 0 _net-fw all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID /* Drop invalid packets generated by weather > applet */ > > and there isn't any comment next to the IP 98.137.200.255 : > > $ sudo shorewall show | grep 98.137.200.255 > 51 2652 DROP tcp -- * * 0.0.0.0/0 > 98.137.200.255 > 0 0 DROP tcp -- * * 98.137.200.255 > 0.0.0.0/0 > > When adding a second rule below in the INVALID section embedded by a new > comment, I can notice this second comment is not present. > I think the comment should be binded to the effective DROP rule.
If you want me to look at this, you will need to send me an archive of /etc/shorewall with a capabilities file. Some simply local testing has not shown any problem. > > > I also played a bit with accounting, unfortunately it is not possible to > specify zones. Is it a technical limitation from iptables ? > No -- it is the way that accounting in Shorewall is implemented. Zones are security objects in Shorewall and are used for security-related purposes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
