>>>>> The 'norfc1918' option is an artifact -- if I were to re-design
>>>>> Shorewall,
>>>>> I would definitely leave it out, You may have noticed that the 'rfc1918'
>>>>> file no longer appears in the 4.0 documentation. Take that as a hint
>>>>> that
>>>>> the
>>>>> option is gradually being phased out.
>>>>>
>>>>> An rfc1918 macro as follows will do everything that the 'norfc1918'
>>>>> option
>>>>> did and more:
>>>>>
>>>>> PARAM SOURCE DEST:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
>>>>> PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 DEST
>>>>>
>>>>> Note -- the above macro only works with Shorewall-perl 4.0.9 or later.
>>>>>
>>>>> -Tom
>>>> I found file 'rfc1918' in directory with other macro files but its
>>>> name haven't prefix 'macro.' and it have differ syntax from other macros.
>>> It is _not_ a macro. It is a data file that drives the behavior of the
>>> 'norfc1918'.
>>>
>>> -Tom
>>
>> Ok Tom.
>> Now instead my rule in 'rules' file:
>>
>> REJECT! all net:$RFC1918_NETS
>>
>> i create macro 'macro.rfc1918' with content(literally):
>>
>> PARAM SOURCE DEST:$RFC1918_NETS
>> # PARAM SOURCE:$RFC1918_NETS DEST
>>
>> (i comment out second string so as in opposite case i haven't
>> access from internal networks to Internet)
>> And add follow rule in 'rules':
>>
>> rfc1918(REJECT!) all net
>>
>> This work same as old rule.
>> Am i right?
>
> I guess (although the '!' is silly).
>
> The macro that I described is intended to replace 'norfc1918' (with
>RFC1918_STRICT) which doesn't prevent local hosts from connecting to RFC
>1918 addresses in the 'net' zone. Given that more and more ISPs are using
>RFC 1918 addressing within their own infrastructure, any general
>recommendation to do that sort of filtering is probably unwise.
>
> My macro (call it Rfc1918), would be used like:
>
> Rfc1918(DROP) net all
>
> -Tom
Dear Tom, thank you for your detail answer but in my configuration
(with Shorewall-4.1.6) ONLY one configuration work such as i want -
shorewall don't send packets for RFC1918 networks to Internet. This
config you see above (no matter DROP or REJECT but with !) and i see
follow:
[EMAIL PROTECTED]:~> ping 192.168.45.123
PING 192.168.45.123 (192.168.45.123) 56(84) bytes of data.
From 192.168.5.1: icmp_seq=1 Destination Host Unreachable
From 192.168.5.1 icmp_seq=1 Destination Host Unreachable
From 192.168.5.1 icmp_seq=2 Destination Host Unreachable
Where 192.168.5.1 is my Shorewall default gateway.
In ALL another variants that you recommend i see follow:
[EMAIL PROTECTED]:~> ping 192.168.45.123
PING 192.168.45.123 (192.168.45.123) 56(84) bytes of data.
From 212.98.160.153: icmp_seq=1 Destination Host Unreachable
From 212.98.160.153 icmp_seq=1 Destination Host Unreachable
Where 212.98.160.153 is my ISP address.
Thank you very much,
Alex
----
Кредит на развитие бизнеса от Белгазпромбанка –
всегда успешный старт. Кредит «Успешный старт»
http://www.belgazprombank.by/6788242.html
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
