Re: [Fwbuilder-discussion] Shadowing problem
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Shadowing problem
|
From: Vadim K. <va...@vk...> - 2004-11-23 18:14:02
|
On Nov 23, 2004, at 8:00 AM, Brian M. Diehl wrote: > Hey all, > > I just installed build 464 on XPSP1, I had to upgrade my rules from a > previous verison [build 409]. When I try to complie, it now complains > that iptables): Rule '1(global)' shades rule '31(global)' below it. > However Rule1 is: > > Src: Any > Dest: Any > Svc: ip_frag > Act: Deny > > Rule 31 is: > Src: Net-192.168.0.0/16 > Dst: Any > Svc: Global outbound services group [user] > (Which contains: Citrix-ICA, Rsync, winterm, http/s, ftp/data, > pptp, port 8100 & 9200) > Act: Accept > > Why do they shade? I made compiler recognize ip service object with protocol "0" since such service should shade any other service. Apparently there is insufficient checking for IP options so compiler erroneously detects shading between ip_frag and pptp --vk |