On 6/14/10 3:37 PM, Mr Dash Four wrote: > Quick questions to you all: > > I wish to define a couple of ipsets (3 ip sets containing about 17,000+ > subnets plus about 10 portmap sets containing just port numbers). The IP > sets (the large ones) are mainly to include them in my blacklist, but I > would also like to use the portmap sets in my rules file for port matching. > > I figured how to define/use the IP port sets, i.e.: > > ---blacklist----------- > #ADDRESS/SUBNET PROTOCOL PORT > +blacklisted > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > ---------------------- > (the 'blacklisted' set is loaded automatically when shorewall starts - > in the init file). > > So, that part works as expected, though I have a query - Does the above > blocks incoming AS WELL AS outgoing connections to those subnets > included in the ip set?
No -- read 'man shorewall-blacklist' Also, I see that there are two additional > options defined in the manual - 'src' and 'dst', i.e. > +blacklisted[src,dst] may also be used. What is the purpose and > functionality of these 2 options? The manual contains about a single > line mentioning this and no other explanation is given - at least I > could not find any! > They are used in "ipset binding" which is no longer supported by the current version of ipsets. You can read about them in the documentation accompanying older versions of ipsets. > > Second query - I could not manage to make my portmap sets work in my > shorewall rules file. When I try the following: > > --------rules------- > ############################################################################################################# > #ACTION SOURCE DEST > PROTO DEST SOURCE ORIGINAL > RATE USER/ MARK > # PORT > PORT(S) DEST LIMIT GROUP > > ACCEPT $FW net > tcp +ip-portmap-set > ------------------- > > > and try to compile the above I get an error that the service > '+ip-portmap-set' is not recognised (the set is of type portmap and is > already loaded with the ipsets -R - no problem). Nowhere in the Shorewall documentation will you find any claim that such a construct will work. It won't. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
