I found an unexpected issue today when configuring a Raspberry Pi as a WAN emulator (AP with packet loss, high, variable ping, etc). In the kernel of Raspbian (a Debian variant), version 3.18.5 at the time of writing, ICMP ping requests are tracked.
Thus, with a default policy of DROP for wlan2net, the following rule did not do what I expected: ----------------------------------- SECTION NEW Ping(ACCEPT) wlan net - - - - 1/sec:10 ----------------------------------- This would allow a flood of pings from wlan to net, as long as it was from and to the same machines. However, putting the accept rule in the ALL section, followed by a DROP rule to counteract the default ALLOW rule for ESTABLISHED did what I wanted: one ping every second, with a pool of 10. ----------------------------------- SECTION ALL Ping(ACCEPT) wlan net - - - - 1/sec:10 Ping(DROP) wlan net ----------------------------------- Connection tracking in progress: ----------------------------------- $ shorewall show connections | grep icmp icmp 1 29 src=10.101.0.53 dst=173.194.112.130 type=8 code=0 id=256 src=173.194.112.130 dst=10.0.10.34 type=0 code=0 id=256 mark=0 use=2 ----------------------------------- While discussing this in #shorewall on freenode, it was suggested that I send a mail about this, so this is me doing just that. If this situation isn't mentioned in the documentation or examples (I couldn't find it), it probably should be. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
