One of the limitations in ipset is that it does not allow me to specify IP,Port pairs in the same construct (map, hashmap etc) where the IP address is not a B-class address (/16). To overcome this issue I have resorted to some creative Shorewall statements in my rules file like:
ACCEPT $FW:+dest-port-map[dst] net:+dest-ip-map This produces the right result, in a round-about way (it produces a code containing 2 match-set constructs - both are 'dst'). Is there another - preferably more straight-forward - possibility? I was thinking of, may be, separating the second part (net:...) with comas and using something like: ACCEPT $FW net:+dest-ip-map,+dest-port-map but do not know whether it is possible to implement in Shorewall? The above alternative would also allow me to include ipset pairs containing protocols (udp, tcp, icmp even). ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
