On 21/01/11 12:13, Richard Weinberger wrote: > Am Freitag 21 Januar 2011, 11:00:48 schrieb Pablo Neira Ayuso: >> On 21/01/11 00:02, Richard Weinberger wrote: >>> Am Donnerstag 20 Januar 2011, 23:52:25 schrieb Jan Engelhardt: >>>> On Thursday 2011-01-20 23:47, Richard Weinberger wrote: >>>>> Hi, >>>>> >>>>> as a firewall admin I would like to see which rules allow >>>>> the connections through my firewall. >>>>> A relationship between conntrack and firewall rules would be nice. >>>>> The next five patches bring this feature to the Linux Netfilter. >>>>> >>>>> First a small example. >>>>> Consider this iptables rules: >>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j APPROVE --rule-id 1 >>>>> -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j APPROVE --rule-id >>>>> 2 -A INPUT -p tcp --dport 22 -m state --state NEW -j APPROVE --rule-id >>>>> 3 -A INPUT -p icmp -m state --state NEW -j APPROVE --rule-id 4 >>>>> >>>>> The APPROVE target is the same as ACCEPT but it stores also a rule id >>>>> into the connection tracking entry. >>>> >>>> What about connmark? You could have used that. Perhaps combined with the >>>> use of -j TRACE that can show which rules were processed before a >>>> verdict was issued. >>> >>> Yeah, I know commark and TRACE but they are quite clumsy to use for such >>> a purpose. >> >> Why are the clumsy for this purpose? > > Because I would need more than one iptables command to model a firewall rule. > Or can you show me a simple iptables configuration using connmark which > achieves the same as my APPROVE example above? Just a couple of extra rules to restore and save the connmark. Right? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
