On 01/30/2018 12:48 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > By default, Shorewall sets tcpflags to 1 for each interface, ie. it checks > for invalid combinations of TCP flags. > > Recently, I saw the following DROP lines in my log: > > Shorewall:logflags:DROP:IN=enp10s0 OUT=enp7s0f2 > MAC=30:85:a9:8e:b9:a0:00:50:60:80:6a:ba:08:00 > SRC=10.215.144.98 DST=10.215.219.228 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=9197 > PROTO=TCP SPT=5555 DPT=3230 WINDOW=0 RES=0x00 RST FIN URGP=0 > > TCP/3230 is used for video conferencing, and it should be allowed according > to my rules. > > I could set tcpflags=0 for interface enp7s0f2, but I'd rather not. > > Is there a way to "force-ACCEPT", or to disable tcpflag checking on a > per-rule basis? >
You need to:
- set tcpflags=0 on enp7s0f2
- Place your ACCEPT rule for tcp/3230 at the top of the NEW section of
your rules file.
- Follow that ACCEPT rule with:
TCPFlags:$TCP_FLAGS_LOG_LEVEL <zone>:enp7s0f2 all tcp
You may omit 'tcp' if you are running 5.1.10 or later. <zone> is the
zone associated with enp7s0f2.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
