On 11/5/18 12:12 PM, Mark Jonsen wrote: > Hello, > > > i want to exclude an complete flow of an incoming Destination NAT from > conntrack. (Its an UDP Connection and the flow back to the client is > openedĀ for testing sinceĀ the destination machine can access the source > interface unrestricted). >
Given that NAT *requires* connection tracking, what you are asking isn't going to work. The NOTRACK entries are ineffective, because you are specifying an interface in the DEST column. Since NOTRACK is applied before routing, Shorewall uses the main routing table to replace the interface with one or more subnetworks. Because the initial incoming UDP packet has not had its destination IP address rewritten yet, it isn't matching the NOTRACK rules. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
