Tom Eastep wrote: >> ---blacklist----------- >> #ADDRESS/SUBNET PROTOCOL PORT >> +blacklisted >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> ---------------------- >> (the 'blacklisted' set is loaded automatically when shorewall starts - >> in the init file). >> >> So, that part works as expected, though I have a query - Does the above >> blocks incoming AS WELL AS outgoing connections to those subnets >> included in the ip set? >> > > No -- read 'man shorewall-blacklist' > I see! So 'blacklist' in shorewall terms means 'blocking-source-IP-addresses-or-subnets-only'. That's a bit daft! It would have been better if I could ..erm... blacklist connections to AND from IP addresses specified in the blacklist file, otherwise what is the point of calling it, rather misleadingly, 'blacklist' when connections TO the 'blacklisted' IP addresses are still allowed?!
To mitigate this, I now need to create extra rules in my 'rules' file like: DROP $FW net:+blacklisted Not very clever, is it? I may as well not bother with this 'blacklist' business and keep everything in one place - in the rules file - and create a pair of such rules to block everything. >> Second query - I could not manage to make my portmap sets work in my >> shorewall rules file. When I try the following: >> >> --------rules------- >> ############################################################################################################# >> #ACTION SOURCE DEST >> PROTO DEST SOURCE ORIGINAL >> RATE USER/ MARK >> # PORT >> PORT(S) DEST LIMIT GROUP >> >> ACCEPT $FW net >> tcp +ip-portmap-set >> ------------------- >> >> >> and try to compile the above I get an error that the service >> '+ip-portmap-set' is not recognised (the set is of type portmap and is >> already loaded with the ipsets -R - no problem). >> > > Nowhere in the Shorewall documentation will you find any claim that such > a construct will work. It won't. > Read the above again - where did I state that I expected it to 'work'? I am getting an error, so it is obvious that it is not working, hence my initial query. The idea was to use the portmap sets with shorewall in the same way I use ipmap/iptreemap ones. That was the whole reason for my second query - I though that was pretty clear (well, not for you, obviously). Oh, and you can dispense with the arsey comments - I asked for a bit of help, if you can't (or are unwilling) to provide such help, then don't bother - move along, nothing to see here. Simple as really! ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
