move INVALID handler after ICMP handler due to ip6tables bug

author Stephen Gran <steve@lobefin.net>

Sat, 20 Feb 2010 20:38:36 +0000 (20:38 +0000)

committer Stephen Gran <steve@lobefin.net>

Sat, 20 Feb 2010 20:38:58 +0000 (20:38 +0000)
author Stephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 20:38:36 +0000 (20:38 +0000)
committer Stephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 20:38:58 +0000 (20:38 +0000)
diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf

index 5596020..166d517 100644 (file)
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -10,8 +10,8 @@ domain (ip ip6) {
                 policy DROP;
                 mod state state (ESTABLISHED RELATED) ACCEPT;
                 interface lo ACCEPT;
-               mod state state (INVALID) DROP;
                 proto icmp ACCEPT;
+               proto (tcp udp) mod state state (INVALID) DROP;
         }
  }
author	Stephen Gran <steve@lobefin.net>
	Sat, 20 Feb 2010 20:38:36 +0000 (20:38 +0000)
committer	Stephen Gran <steve@lobefin.net>
	Sat, 20 Feb 2010 20:38:58 +0000 (20:38 +0000)