[Shorewall-users] Droping ftp conections from net to loc do not work

Fri, 19 Jan 2007 02:11:53 -0800 

Hello,
I´m running shorewall 3.0.2  on debian sarge box.
I have w2k3 box on eth1 with both public and local ip address running 
FTP server.
I have set proxy arp for this host.
Now I try to drop ftp packets from one ip address in internet, but my 
setup do not work.
My setup
proxyarp
#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
195.113.101.221   eth1          eth0            yes             yes

rules
.
DROP    net:193.171.155.10      loc:195.113.101.221 tcp 21
.
zones
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS

fw      firewall
net     ipv4
loc     ipv4
wifio   ipv4
road    ipv4

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net      eth0           detect          
tcpflags,routefilter,norfc1918,nosmurfs,blacklist
loc      eth1           detect          dhcp,blacklist,routeback,detectnets
wifio    eth2           detect          blacklist
road     tap0

policy:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             wifio           ACCEPT
loc             loc             ACCEPT
loc             fw              ACCEPT
fw              net             ACCEPT
fw              wifio           ACCEPT
fw              loc             ACCEPT
net             all             DROP
all             all             REJECT
wifio           net             ACCEPT
wifio           loc             ACCEPT
wifio           fw              ACCEPT
road            loc             ACCEPT
#LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

routing table:
195.113.101.208/30 dev eth0  proto kernel  scope link  src 195.113.101.210
195.113.101.216/29 dev eth1  proto kernel  scope link  src 195.113.101.217
172.16.0.0/27 dev eth1  proto kernel  scope link  src 172.16.0.1
192.168.2.0/24 dev tap0  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
192.168.10.0/24 via 195.113.101.209 dev eth0
172.16.0.0/16 via 172.16.0.30 dev eth1
default via 195.113.101.209 dev eth0

What could be wrong? Why shorell passes ftp conections to my ftp server?

Thanks for any help.



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to