Using an exclusion in conntrack appears to work,
/conntrack
NOTRACK +IPBLACKLIST_IP!+IPWHITELIST_IP -
NOTRACK +IPBLACKLIST_NET!+IPWHITELIST_NET -
DROP:P +IPBLACKLIST_IP!+IPWHITELIST_IP -
DROP:P +IPBLACKLIST_NET!+IPWHITELIST_NET -
No 'ACCEPT' rules in /rules are required.
One downside is that if +IPBLACKLIST_{IP,NET} is very large, then it appears to
take a moment to parse the entire list and hit the exclusion. Manifests in,
e.g., the browser hesitating for a few seconds before rendering the reply.
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
