Hervé Werner
2014-Mar-25 17:46 UTC
Comment not binded to the right rule & accounting zone
Hello.
I discovered something wrong in comments generated by the rules file :
I had an issue with a software triggering INVALID packets (gnome-shell
weather extension), didn't manage to figure out why, so I just
configured Shorewall to DROP them all by adding lines in the INVALID
section of the rules file and it worked as expected :
?COMMENT Drop invalid packets generated by weather applet
Invalid(DROP) $FW net:98.137.200.255 tcp
Invalid(DROP) net:98.137.200.255 $FW tcp
?COMMENT
But the comment is binded to the rule matching all INVALID packets :
$ sudo shorewall show | grep applet
51 2652 _fw-net all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID /* Drop invalid packets generated by weather applet */
0 0 _net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID /* Drop invalid packets generated by weather applet */
and there isn't any comment next to the IP 98.137.200.255 :
$ sudo shorewall show | grep 98.137.200.255
51 2652 DROP tcp -- * * 0.0.0.0/0
98.137.200.255
0 0 DROP tcp -- * * 98.137.200.255
0.0.0.0/0
When adding a second rule below in the INVALID section embedded by a new
comment, I can notice this second comment is not present.
I think the comment should be binded to the effective DROP rule.
I also played a bit with accounting, unfortunately it is not possible to
specify zones. Is it a technical limitation from iptables ?
Hervé
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users