On 9/12/10 3:37 PM, Mr Dash Four wrote: > >>> Is it possible to use ipsets in the secmarks file? >>> >> >> Yes. >> > Tested it, albeit very briefly, yesterday and it did seem to work - I > will have a more thorough run-through later this week as I will be ready > with the SELinux policies controlling all the traffic. > > What I like about ipsets is that they are dynamic and can be changed > 'on-the-fly' without the need to restart/reload Shorewall - an ipset > could have one set of values/members now and completely different the > next time - very handy for testing!
Shorewall has one source-match generator and one destination-match generator that are used anytime an address match is needed; both accept ipsets. Don't know if you noticed but destination blacklisting should now work that way you prefer. Just don't look for a jump in fw2net; blacklisting occurs before that chain is entered. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
