On 1/26/11 4:24 AM, Michele Petrazzo - Unipex wrote: > Hi list, > I need to block all the traffic to an ip, still leaving the forward in > ACCEPT mode, so I modified the rules file like: > > REJECT loc net:1.1.1.1 all > > but I continue to have access to that address (1.1.1.1). > Seen the rules create, I see that my reject are never matched, also if I > try a "telnet 1.1.1.1 80" > > Chain loc2net (1 references) > pkts bytes target prot opt in out source > destination > 5099 267K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 reject all -- * * 0.0.0.0/0 1.1.1.1 > > (I but a log rule at top and I see that it's matched and on the log: > > IN=eth1 OUT=eth0 SRC=192.168.1.103 DST=1.1.1.1 LEN=60 TOS=0x10 PREC=0x00 > TTL=63 ID=3081 DF PROTO=TCP SPT=55889 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Now?
Are you using a proxy like Squid? If so, that is bypassing the rule. Otherwise, please collect the output of 'shorewall dump' and submit it along with the information requested at http://www.shorewall.net/support.htm#Guidelines. Thank you, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
