[Shorewall-users] Excluding clients from rules

Tom Eastep teastep@shorewall.net
Wed, 16 Jan 2002 15:03:25 -0800

On Wednesday 16 January 2002 02:40 pm, Markus Bossert wrote:
> Why can't he just put a REJECT or a DROP rule (or for surrounding squid
> another ACCEPT rule) above his ACCEPT rule for http ports since rules a=
> processed until the first fitting is found, afaik?

In each Netfilter table, rules are processed in the order found. Port=20
redirection and port forwarding rules and a rule to both Netfilter's nat=20
table in in its filter table. The rule added to the nat table is being=20
executed before ANY rule in the filter table.

I'm working on a fix for this general problem so have faith....

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net