Quick questions to you all: I wish to define a couple of ipsets (3 ip sets containing about 17,000+ subnets plus about 10 portmap sets containing just port numbers). The IP sets (the large ones) are mainly to include them in my blacklist, but I would also like to use the portmap sets in my rules file for port matching.
I figured how to define/use the IP port sets, i.e.: ---blacklist----------- #ADDRESS/SUBNET PROTOCOL PORT +blacklisted #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ---------------------- (the 'blacklisted' set is loaded automatically when shorewall starts - in the init file). So, that part works as expected, though I have a query - Does the above blocks incoming AS WELL AS outgoing connections to those subnets included in the ip set? Also, I see that there are two additional options defined in the manual - 'src' and 'dst', i.e. +blacklisted[src,dst] may also be used. What is the purpose and functionality of these 2 options? The manual contains about a single line mentioning this and no other explanation is given - at least I could not find any! Second query - I could not manage to make my portmap sets work in my shorewall rules file. When I try the following: --------rules------- ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP ACCEPT $FW net tcp +ip-portmap-set ------------------- and try to compile the above I get an error that the service '+ip-portmap-set' is not recognised (the set is of type portmap and is already loaded with the ipsets -R - no problem). So, my question is - what have I done wrong? Is there a way I can define portmap ip sets and use them in my rules file and if so how do I go about doing that? Thanks a lot! ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
