Hi > You don't want the above -- it accepts *ALL* tcp connection requests.
Agreed, sorry that was cut and paste, I actually used "CONTINUE" in an action > In the NEW section, simply place this rule: > > NotSyn(REJECT) all all tcp Aha, splendid. Didn't see that! Just what I need So for the benefit of Google, the above allows effectively rejecting "in-progress" connections that conntrack is trying to recreate. Effectively reject any (tcp) connection in state NEW that isn't a SYN packet. Note: Beware that shorewall can also send untracked and invalid packets into the NEW section (depending on xx_DISPOSITION variables). I created an action so I could ignore (CONTINUE) untracked connections I only use this for PPP links (where the IP will change), this means I can reboot the firewall without terminating in-progress connections through the LAN, but it will terminate PPP connections (and avoid them hanging). I also have some PPP ip-down.d scripts which clear those conntrack entries to achieve the same on dropped links. Many thanks! Ed W ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
