[Shorewall-users] Excluding clients from rules

Tom Eastep teastep@shorewall.net
Wed, 16 Jan 2002 15:04:48 -0800


On Wednesday 16 January 2002 03:03 pm, Tom Eastep wrote:
> On Wednesday 16 January 2002 02:40 pm, Markus Bossert wrote:
> > Why can't he just put a REJECT or a DROP rule (or for surrounding squ=
id
> > another ACCEPT rule) above his ACCEPT rule for http ports since rules=
 are
> > processed until the first fitting is found, afaik?
>
> In each Netfilter table, rules are processed in the order found. Port
> redirection and port forwarding rules and a rule to both Netfilter's na=
t

make that "...add a rule to both..."

> table in in its filter table. The rule added to the nat table is being
> executed before ANY rule in the filter table.
>
> I'm working on a fix for this general problem so have faith....
>
> -Tom

--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net