Re: [Shorewall-users] rfc1918 macro

Wed, 26 Mar 2008 09:48:38 -0700 

alex wrote:
The 'norfc1918' option is an artifact -- if I were to re-design Shorewall, I would definitely leave it out, You may have noticed that the 'rfc1918' file no longer appears in the 4.0 documentation. Take that as a hint that the option is gradually being phased out. 


An rfc1918 macro as follows will do everything that the 'norfc1918' option 
did and more:


PARAM   SOURCE  DEST:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PARAM   SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  DEST

Note -- the above macro only works with Shorewall-perl 4.0.9 or later.

-Tom

     I found file 'rfc1918' in directory with other macro files but its
name haven't prefix 'macro.' and it have differ syntax from other macros.

It is _not_ a macro. It is a data file that drives the behavior of the 
'norfc1918'.


-Tom


   Ok Tom.
   Now instead my rule in 'rules' file:

REJECT!    all            net:$RFC1918_NETS

   i create macro 'macro.rfc1918' with content(literally):

PARAM    SOURCE                  DEST:$RFC1918_NETS
# PARAM  SOURCE:$RFC1918_NETS    DEST

   (i comment out second string so as in opposite case i haven't
access from internal networks to Internet)
   And add follow rule in 'rules':

rfc1918(REJECT!)        all             net

   This work same as old rule.
   Am i right?


I guess (although the '!' is silly).


The macro that I described is intended to replace 'norfc1918' (with 
RFC1918_STRICT) which doesn't prevent local hosts from connecting to RFC 
1918 addresses in the 'net' zone. Given that more and more ISPs are using 
RFC 1918 addressing within their own infrastructure, any general 
recommendation to do that sort of filtering is probably unwise.


My macro (call it Rfc1918), would be used like:

Rfc1918(DROP)           net     all

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Attachment:
signature.asc

Description: OpenPGP digital signature


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to