Hello,
i want to exclude an complete flow of an incoming Destination NAT from conntrack. (Its an UDP Connection and the flow back to the client is opened for testing since the destination machine can access the source interface unrestricted). Current situation: Shorewall 5.0.15.6 on latest Debian Stretch Zones: fw firewall vpn ipv4 net ipv4 host ipv4 dmz ipv4 ins ipv4 Policy: net all DROP fw all ACCEPT all all REJECT Interfaces: net eth0 host eth1 dmz eth2 ins eth3 vpn tun0 The DNAT and net access rule: DNAT net dmz:10.10.1.11 udp dport - dip ACCEPT dmz net The conntrack entries: NOTRACK eth0 eth2 udp NOTRACK eth2 eth0 udp The problem is that the conntrack entry appears regardless of the NOTRACK entries when i look with conntrack -L. What is my mistake? And: Is it possible to create a more elegant conntrack entry which is restricted to the destination port and destination and/or Origdest IP? Thank you in advance! <http://aka.ms/weboutlook>
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users