From 65a4fe1d1bc72290033c7752417f541a7b3ec429 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 5 May 2004 23:31:11 +0000 Subject: [PATCH] Tweak NONAT/ACCEPT+ action implementation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1310 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 33 +++++++++++++++------------------ Shorewall2/interfaces | 12 +++++++++++- 2 files changed, 26 insertions(+), 19 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index bb6675251..80ee26444 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3224,15 +3224,14 @@ add_a_rule() fi case $logtarget in - NONAT) + NONAT|ACCEPT+) addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN ;; - ACCEPT+) - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN - run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + esac + + case $logtarget in + NONAT) ;; *) run_iptables2 -A $chain $proto $multiport $cli $sports \ @@ -3249,15 +3248,14 @@ add_a_rule() fi case $logtarget in - NONAT) + NONAT|ACCEPT+) addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $dports $ratelimit $userandgroup -j RETURN ;; - ACCEPT+) - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target + esac + + case $logtarget in + NONAT) ;; *) run_iptables2 -A $chain $proto $multiport $cli $sports \ @@ -3284,15 +3282,14 @@ add_a_rule() case $logtarget in LOG) ;; - NONAT) + NONAT|ACCEPT+) addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $dports $ratelimit $userandgroup -j RETURN ;; - ACCEPT+) - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - run_iptables2 -A $chain $proto $multiport $dest_interface \ - $cli $sports $dports $ratelimit $userandgroup -j $target + esac + + case $logtarget in + LOG|NONAT) ;; *) run_iptables2 -A $chain $proto $multiport $dest_interface \ diff --git a/Shorewall2/interfaces b/Shorewall2/interfaces index 9a9642362..64c02ee22 100644 --- a/Shorewall2/interfaces +++ b/Shorewall2/interfaces @@ -115,11 +115,21 @@ # established connection will be accepted # from this interface, even if # NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this interface +# are processed as if NEWNOTSYN=Yes had been +# specified in /etc/shorewall/shorewall.conf. # # This option has no effect if # NEWNOTSYN=Yes. # +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# # routeback - If specified, indicates that Shorewall # should include rules that allow filtering # traffic arriving on this interface back