Re: [Shorewall-users] SECMARK and CONNSECMARK support in Shorewall

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> The 'to' option does not work from the firewall itself. As stated in the
> release notes where the feature was introduced, the blacklist is still
> applied on packets arriving on 'blacklist' interfaces.
>   
In other words this new blacklist format does not stop packets FROM my 
interface (even if the 'blacklist' option is used) to "blacklisted" 
addresses, is that right? If so, then I need to restore my old DROP 
statements I've had in the rules file and remove half of the statements 
currently in my blacklist file.