On 8/9/10 5:53 AM, Vieri Di Paola wrote: > Hi, > > I'm trying to figure out how to interrupt a connection temporarily. > > Suppose I want to stop traffic going to 123.123.123.123 then re-allow it > later on. > > I have BLACKLISTNEWONLY=Yes in shorewall.conf. > > On my shorewall bridge I run: > # tcpkill -i br0 "dst host 123.123.123.123" > > This interrupts my TCP connection as expected. > > # shorewall show connections | grep 123.123.123.123 > tcp 6 5 CLOSE src=10.215.144.48 dst=123.123.123.123 sport=2187 dport=80 > packets=284 bytes=11908 src=123.123.123.123 dst=10.215.144.48 sport=80 > dport=2187 packets=618 bytes=773183 [ASSURED] mark=0 use=1 > > After a short while the above command yields no output. > > Then I run: > # shorewall reject 123.123.123.123 > 123.123.123.123 Rejected > > However, if I try to connect I succeed when I shouldn't be able to. > > Do I require to set "blacklist" in the interfaces file?
Shorewall blacklisting blacklists the SOURCE address, not the DESTINATION address. From the 'show connections' output, the original connection was TO 123.123.123.123, not FROM that host. So after blacklisting that IP, you can still connect to it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
