On Thu, 2007-11-22 at 11:12 +0100, Götz Reinicke wrote:
> >> I'v been looking for a solution to deny some special clients from access
> >> the internet by adding their ip to the blacklist. That works fine.
> >>
> >> Now I'd like to allow access to my webserver in the dmz. How to to this?
> >
> > Don't use the blacklist for denying net access. Use "REJECT loc:<ip address
> > list> net" rules instead.
> where should the REJECT rules be placed best? At the top or bottom of
> the rules file? Or dose this dosen't matter?
Before any other, more general rule that matches.
You can think of the rules being evaluated in order [1]. The first rule
that matches will be applied. Thus, if you have some fine-grained rules
for particular IPs or MAC addresses, just be sure to have them before
more general rules, if any.
Other than that, the order doesn't make much [2] of a difference. Feel
free to keep them organized by zones, ports/services, clustered in
logical units.
karsten
[1] Which of course is true only with the constraint of matching SOURCE
and DEST zones.
[2] However, within z1:z2 rules, all these rules need to be checked
until there is a match or ultimately a policy will be enforced.
Thus, if you expect http traffic almost exclusively and ssh
occasionally, it may make sense to place the http rule first. That
way, the majority of connections need to be checked against a single
rule only.
--
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
