Thanks.Nicely concealed features, Firewall Guys :PSo, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.How's that sound ?Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:conntrackThis module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.[!] --ctstate stateliststatelist is a comma separated list of the connection states to match. Possible states are listed below.[!] --ctproto l4protoLayer-4 protocol to match (by number or name)[!] --ctorigsrc address[/mask][!] --ctorigdst address[/mask][!] --ctreplsrc address[/mask][!] --ctrepldst address[/mask]Match against original/reply source/destination address[!] --ctorigsrcport port[:port][!] --ctorigdstport port[:port][!] --ctreplsrcport port[:port][!] --ctrepldstport port[:port]Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernelversions above 2.6.38.[!] --ctstatus stateliststatuslist is a comma separated list of the connection statuses to match. Possible statuses are listed below.[!] --ctexpire time[:time]Match remaining lifetime in seconds against given value or range of values (inclusive)--ctdir {ORIGINAL|REPLY}Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.States for --ctstate:INVALIDThe packet is associated with no known connection.NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.ESTABLISHEDThe packet is associated with a connection which has seen packets in both directions.RELATEDThe packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.UNTRACKEDThe packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.SNAT A virtual state, matching if the original source address differs from the reply destination.DNAT A virtual state, matching if the original destination differs from the reply source.Statuses for --ctstatus:If IP addresses weighed one gram each:IPv4 = half the Empire State Building vs. IPv6 = 56 billion earthsI use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.On Tue, Sep 27, 2016 at 7:41 AM, Dan White <d_e_white@icloud.com> wrote:I see rules in my "iptables -S" dump like-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPTBut how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.Thanks.Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org