>> Ideally, what I'd like to have is this in the blacklist file: >> >> +whitelist - - - src,dst,whitelist # whitelist applicable to all >> interfaces, including tun0 >> +vpn-out-whitelist[dst,dst] - - root dst,vpn,whitelist # this to >> indicate that this ipset will punch a hole in the fw2vpn's blackout >> chain, allowing the defined ip:proto pair to pass through for user id=0 >> (root) - the value of the 3rd column >> +blacklist - - - src,dst >> ... >> > > Adding a USER/GROUP column to the blacklist file is fairly easy, > although it requires that there now be three blacklist chains: blacklst, > blackfwd and blackout. Yeah, I figured that out yesterday even though I am not using bridges/have forwarded traffic it still makes sense to create such a chain. Can I specify the zone(s) to which that whitelist applies (vpn in my example above) or is it just user id/owner?
If so, is this feature only applicable to whitelists or does it include the blacklists now as well (in other words can I specify "+blacklist - - - src,dst,vpn")? > That feature will be included in the next Beta. > OK, I'll give it a whirl as soon as you release it. Thanks! ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
