|
||||||||
On Tue, 18 Apr 2006 13:09:05 -0500, cdillon at wolves dot k12 dot mo dot us wrote: >Looking through status.php at the generated ipfilter ruleset, I see >that the anti-spoof rules come before the user rules, is there any >particular reason for that? It would be nice if they came after the >user rules since the user would be >allowed to create his own rules to allow other subnets to be routed >through that interface. In absence of those rules the default would >still be to deny spoofs. If that isn't possible, maybe an option to >disable the anti-spoof rules entirely. > >I'm not even sure the anti-spoof rules are necessary under normal >circumstances, as long as the user creates rules with "INTERFACE >subnet" as the source (maybe make this the default source for new >rules?) instead >of "any" then spoofed packets would be dropped by the default deny >rule. > > Can I add a 'Me too' ? I am getting hit by this causing my logs to be filled with entries from my Samba server giving lots of entries like this (slightly edited) - LAN 169.254.185.120, port 138 169.254.255.255, port 138 UDP The only machine on my LAN has address 192.168.1.1, but the Samba server that runs on it appears to be using a different IP address as well. The first rule in my LAN chain is to drop all traffic from this address and not log it. But of course the fixed rule runs first and logs it! Could we at least have the *all* the rules displayed on the firewall pages, even those we cannot edit? Similar to the way the block private networks option works, so we don't have to dive into the status.php page to work out why things are not working as expected. best regards Dave -- http://www.morgad.no-ip.info/index.html gpg:0x64B5E037 Distributed Proofreaders: http://www.pgdp.net The NTP server pool http://www.pool.ntp.org http://stellar-attraction.com/ |