Phillipus Gunawan wrote:
> Thanks for your reply,
>
> indeed, the rule:
>
> DNAT net loc:10.1.1.5 tcp 64198
>
> works perfectly, but either one of these are not
>
> REJECT net loc:10.1.1.1 tcp http
> REJECT net loc:10.1.1.1 tcp 80
> DROP net loc:10.1.1.1 tcp http
> DROP net loc:10.1.1.1 tcp 80
>
> or combination with 'loc' only
>
> i tried each of the rules above, one by one,
> but if I open my external ip address given by my isp,
> the connection still there, not blocking or rejecting it
Two things:
a) If you are trying to block 10.1.1.1 from accessing the WWW, then your
rules are backward. You want:
REJECT loc:10.1.1.1 net tcp http
b) Shorewall generates a *stateful* firewall. So rules are only
consulted for *new connections*. So if there is an existing connection
from 10.1.1.1 to a web server on the net, inserting the above rule will
not break that connection; it rather prevents new connections from being
established.
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
