Hi! how can I mark ack packets with shorewall 2.x? (In 1.x I have done it with own rule in common file) TiA CU
Christoph Kaminski wrote:> Hi! > > how can I mark ack packets with shorewall 2.x? > (In 1.x I have done it with own rule in common file)What command did you have in your common file? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > how can I mark ack packets with shorewall 2.x? > > (In 1.x I have done it with own rule in common file) > > What command did you have in your common file? > > -Tomrun_iptables -t mangle -A PREROUTING -i eth0 -p tcp --tcp-flags ACK ACK -m length --length :64 -j MARK --set-mark 11 run_iptables -t mangle -A OUTPUT -o ppp0 -p tcp --tcp-flags ACK ACK -m length --length :64 -j MARK --set-mark 11 can you say me how can I build this rule in shorewall2? TiA
Christoph Kaminski wrote:>>>how can I mark ack packets with shorewall 2.x? >>>(In 1.x I have done it with own rule in common file) >> >>What command did you have in your common file? >> >>-Tom > > run_iptables -t mangle -A PREROUTING -i eth0 -p tcp --tcp-flags ACK ACK -m > length --length :64 -j MARK --set-mark 11 > > run_iptables -t mangle -A OUTPUT -o ppp0 -p tcp --tcp-flags ACK ACK -m length > --length :64 -j MARK --set-mark 11 > > can you say me how can I build this rule in shorewall2?You can put them in /etc/shorewall/start (where they should have been in the first place). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Christoph Kaminski wrote: > >>>> how can I mark ack packets with shorewall 2.x? >>>> (In 1.x I have done it with own rule in common file) >>> >>> >>> What command did you have in your common file? >>> >>> -Tom >> >> >> run_iptables -t mangle -A PREROUTING -i eth0 -p tcp --tcp-flags ACK >> ACK -m length --length :64 -j MARK --set-mark 11 >> >> run_iptables -t mangle -A OUTPUT -o ppp0 -p tcp --tcp-flags ACK ACK -m >> length --length :64 -j MARK --set-mark 11 >> >> can you say me how can I build this rule in shorewall2? > > > You can put them in /etc/shorewall/start (where they should have been in > the first place).And you probably want to use the -I command rather than the -A command. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>>> >>> run_iptables -t mangle -A PREROUTING -i eth0 -p tcp --tcp-flags ACK >>> ACK -m length --length :64 -j MARK --set-mark 11 >>> >>> run_iptables -t mangle -A OUTPUT -o ppp0 -p tcp --tcp-flags ACK ACK >>> -m length --length :64 -j MARK --set-mark 11 >>> >>> can you say me how can I build this rule in shorewall2? >> >> >> >> You can put them in /etc/shorewall/start (where they should have been >> in the first place). > > > And you probably want to use the -I command rather than the -A command. >This is the second case where a 1.4 user has rules in /etc/shorewall/common that do not pertain to the ''common'' chain. To ease the migration to 2.0.x, I have added an ''initialized'' extension script. That script is invoked at the same point where the old ''common'' script was. To use the new script, install 2.0.2 Beta 2 then replace /usr/share/shorewall/firewall with the firewall script from CVS (Shorewall2/ file). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net