On 3/14/24 12:46, Uwe B wrote:
So I'm still puzzled how to get rid of the DROP in the rplog chain and
if it would even be a good idea to do so.
well, the mystery is solved. Triggered by the "anti-spoofing"
description for the rpfilter option in /etc/shorewall6/interfaces:
rpfilter
Added in Shorewall 4.5.7. This is an anti-spoofing measure that requires
the 'RPFilter Match' capability in your iptables and kernel. It provides
a more efficient alternative to the sfilter option below. It performs a
function similar to routefilter (see above) but works with Multi-ISP
configurations that do not use balanced routes.
I had this in the interfaces file:
...
net AMS2 detect
nosmurfs,tcpflags,rpfilter,forward=1
...
without the rpfilter, everything works as designed.
Now I only have the issue with the strange logfile location.
Kind regards,
Uwe
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users