On Tue, 18 Apr 2006 13:09:05 -0500, cdillon at wolves dot k12 dot mo dot us wrote:
>Looking through status.php at the generated ipfilter ruleset, I see
>that the anti-spoof rules come before the user rules, is there any
>particular reason for that? It would be nice if they came after the
>user rules since the user would be
>allowed to create his own rules to allow other subnets to be routed
>through that interface. In absence of those rules the default would
>still be to deny spoofs. If that isn't possible, maybe an option to
>disable the anti-spoof rules entirely.
>I'm not even sure the anti-spoof rules are necessary under normal
>circumstances, as long as the user creates rules with "INTERFACE
>subnet" as the source (maybe make this the default source for new
>of "any" then spoofed packets would be dropped by the default deny
Can I add a 'Me too' ?
I am getting hit by this causing my logs to be filled with entries from
my Samba server giving lots of entries like this (slightly edited) -
LAN 169.254.185.120, port 138 169.254.255.255, port 138 UDP
The only machine on my LAN has address 192.168.1.1, but the Samba server
that runs on it appears to be using a different IP address as well.
The first rule in my LAN chain is to drop all traffic from this address
and not log it. But of course the fixed rule runs first and logs it!
Could we at least have the *all* the rules displayed on the firewall pages,
even those we cannot edit? Similar to the way the block private networks
option works, so we don't have to dive into the status.php page to work out
why things are not working as expected.
Distributed Proofreaders: http://www.pgdp.net
The NTP server pool http://www.pool.ntp.org