Joseph L. Casale wrote:
What exactly are you trying to accomplish? If you are trying to use the lack of masquerading as a filtering mechanism, I strongly recommend just using REJECT rules instead.-TomI just want to make sure clients that use shorewall as their gateway to masq outbound traffic can't get to a list of ip's.
Then forget your masq approach.Shorewall has always been and will continue to be about keeping the bad guys out, not keeping the prisoners in. A much better approach to that is to use Shorewall to disallow loc->net http traffic, implement a transparent proxy and then use squid squid and/or dansguardian to police your users' web access. That way, you can express your repressive policies using domain names, URLs and content categories rather than chasing your tail with IP addresses.
And if you really want to prevent a group of users from accessing a set of IP addresses, REJECT rules are the way to go.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
