Re: [leaf-user] Dropping external cruft by destination IP/port in Shorewall

Tue, 15 Nov 2005 04:31:03 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:

| ------------------------------------------------------------------------------
| http://www1.shorewall.net/Documentation.htm#Blacklist
| http://www1.shorewall.net/2.0/Documentation.htm#Blacklist
|
| PORTS
|
|     Optional; may only be given if PROTOCOL is tcp, udp or icmp. Expressed as
| a comma-separated list of port numbers or service names (from /etc/services).
| If present, only packets destined for the specified protocol and one of the
| listed ports are blocked. When the PROTOCOL is icmp, the PORTS column
| contains a comma-separated list of ICMP type numbers or names (see ?iptables
| -h icmp?).
|
- ------------------------------------------------------------------------------- 
|
| Is "only packets destined for the specified protocol and one of the listed
| ports are blocked." not clear?

It's unclear to me.  "Destined" is linked to "specified protocol", and a
protocol doesn't have source/destination entries.  The way I parse the
above, "listed ports" is *NOT* modified by "destined".  Plus, I think the
place to state src/dst for ports is in the second sentence.  I think
something like the following would be more clear:

PORTS
~  Optional; may only be given if PROTOCOL is tcp, udp or icmp. Expressed as
a comma-separated list of destination port numbers or service names (from
/etc/services).  If present, only packets matching the specified protocol
and one of the listed destination ports are blocked. When the PROTOCOL is
icmp, the PORTS column contains a comma-separated list of ICMP type numbers
or names (see ?iptables -h icmp?).

| I agree that the documentation in the /etc/shorewall/blacklist file isn't as
| clear and I will fix it when I get the chance.

Thanks again for the great FW software!

- --
Charles Steinkuehler
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDedTmLywbqEHdNFwRAmCRAKCZ4gxGblNkyKYj2qXb4SAuptbaRgCeOiLI
QSVk5PYRjJb0YMmK23r88PI=
=Dxbk
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to