routing problem - fork on gateways
Jeremy Fowler
JFowler at westrope.com
Wed Sep 7 11:58:25 CDT 2005
> Ummm... no. Wrong on both accounts.
> See Jeremy's post about source-routing for one method.
> The firewall rules are never bypassed, that's why you need
> rules to specifically allow "established"
> connections. It is also why when writing your rules you want
> to put those rules near the top so that established
> connections don't have to run the entire gamut of the ruleset
> to get an up/down vote on whether to accept. Now maybe some
> firewalls resort the rules to get this behavior, but I
> haven't seen this with any Linux software firewalls.
Actually, I think what David is thinking about is the PREROUTING chain
in the Linux Netfilter nat table. It only checks the first packet of
each stream.
<rant>
Let's leave the "Ummm... No" out from now on. We're all learning here. I
know it may sound stupid, but I find it rude. I went off on some guy
last week about it - which I do feel bad about. I got a little out of
line on one of my replies. Anyway, lets try and keep the respect for one
another going here. Feel free to correct people, myself included, but
lets try to keep it polite.
</rant>
More information about the Kclug
mailing list