From: Andrew S. <asu...@su...> - 2008-03-26 19:13:27
|
On Wed, Mar 26, 2008 at 11:22:53AM -0700, Tom Eastep wrote: > Example: > > net->dmz policy of "REJECT info" > > Rules: > > REJECT:info all all udp 1024 > ACCEPT net:1.2.3.4 fw > > In that case, net->fw UDP 1024 would still be allowed from 1.2.3.4 > because the REJECT rule duplicates the policy of net->fw so would not be > included in > the net2fw chain. Changing the REJECT:info to REJECT!:info does what the > rules intend. Isn't that a bug? Shorewall should never discard a rule like that if it has parameters other than just "all all". |