Thank you very much! I somehow over-read this sentence:
You may omit any section that you don't need. If no Section Headers appear > in the file then all rules are assumed to be in the NEW section. I have moved all rules to SECTION NEW and it works. Kevin Am Do., 1. Nov. 2018 um 15:26 Uhr schrieb Justin Pryzby < pry...@telsasoft.com>: > > On Thu, Nov 01, 2018 at 02:07:44PM +0100, Kevin Olbrich wrote: > > Hi! > > > > I have these rules in my shorewall-rules: > > > > > # Allow ping to the callserver > > > Ping(ACCEPT) all fw > > > # Allow SSH to the callserver > > > ACCEPT all fw tcp 1337 > > > # Allow SIP traffic to the callserver from the internet > > > ACCEPT net fw udp 5060 > > > ACCEPT net fw tcp 5060 > > > ACCEPT net fw tcp 5061 > > > > > > I never used SECTIONS on any shorewall setups and started to read related > > docs. > > Should I use any SECTIONS? I tried setting the above under ALL which > > allowed the access but my "net -> fw DROP" policy had precedence over > > conntracking (for example ICMP or HTTP) on aswer packages. > > Follow this advice: > > If you are not familiar with Netfilter to the point where you are comfortable with the differences between the various connection tracking states, then it is suggested that you omit the > ESTABLISHED and RELATED sections and place all of your non-blacklisting rules in the NEW section (That's after the line that reads SECTION NEW'). > > Warning > If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL, ESTABLISHED and RELATED sections must be empty. > > I'm not sure what responses weren't allowed by the implicity "established -> > allow" rule. > > Justin > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
