Hi,
Jiří Červenka wrote:
>> What about changing this to loc:[local address] in stead of loc:[public
>> address]? Does that help?
>>
>> Otherwise you could also consider the blacklisting feature.
>>
> No, this do not help. The conections from net goes directly to my FTP
> server public ip addres to port 21.
What exactly doesn't help, replacing the IP address or using the blacklist?
>>> policy:
>>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
>>> loc net ACCEPT
>>> loc wifio ACCEPT
>>> loc loc ACCEPT
>>> loc fw ACCEPT
>>> fw net ACCEPT
>>> fw wifio ACCEPT
>>> fw loc ACCEPT
>>> net all DROP
>>> all all REJECT
>>> wifio net ACCEPT
>>> wifio loc ACCEPT
>>> wifio fw ACCEPT
>>> road loc ACCEPT
>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>>
>> From the top of my head i thought that policies are matched in _order_.
>> If that's the case, this also might not do what you expect, no?
>>
> I´m not sure what do you mean, so I tried to move net all drop policy to
> top of the list, but this won´t help to.
Well, in the comment in that file it says:
"For each source/destination pair, the file is processed in order until
a match is found ("all" will match any client or server)."
So i don't think your bottom policies will ever be reached because you
have put them behind an 'all all reject'.
--
- Pieter
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
