[Shorewall-users] Getting Confused - to "reject" or "REJECT"?

Tuomo Soini tis at foobar.fi
Thu Jun 12 00:22:06 PDT 2003


Tom Eastep wrote:

> The offending code is in ipt_REJECT.c and appears to be intentional. The
> net result of the change is that "REJECT --reject-with tcp-reset" will
> only work from the INPUT chain and not from the FORWARD or OUTPUT chains
> (although it does work in OUTPUT for the loopback case).

Funny. This style of systems won't work any more:

http://www.lowth.com/cutter/

> I'm currently running some Shorewall code here that creates two
> rejection chains: reject and rejecti. The former is used in rules that
> might get invoked from the FORWARD or OUTPUT chains while the latter is
> used in cases that are known to be associated with the INPUT chain.

Does that work? or was it so that REJECT --with tcp-reset didn't work on 
reject chain because there was references to it (reject) from other than 
INPUT chain?

> This code should work ok regardless of the final resolution of the
> bug/feature and is available from the Shorewall/ project in CVS.

I could check that out.

-- 
Tuomo Soini <tis at foobar.fi>
Linux and network services
Foobar Oy <http://foobar.fi/>



More information about the Shorewall-users mailing list