Re: [Shorewall-users] ipsets in dest column

[Harry Lachanas]

On 04/28/2011 12:56 AM, Tom Eastep wrote:
On Apr 27, 2011, at 2:25 PM, Mr Dash Four<mr.dash.f...@googlemail.com>  wrote:
This is not a Shorewall restriction but is rather a restriction of ipsets

while on an old system with shorewall 3.4.8 on it it passes OK.

Can you read?

I can read fine. But the OPs assertion that this worked in Shorewall 3 is 
nonsense. The syntax shown in his rule wasn't introduced until Shorewall 4.4.14.

-Tom
Tom,
a) I am sorry about the syntax simplification ( I always try to express myself 
in a *non-nonsense* manner ).
b) I know that It is Introduced in 4.4.14 ( I read the list for a decade almost 
).
c) I've stated that this rule *passes*. Well I am sorry I should have stated *"The 
similar rule passes"*.
d) I am *not* a law professional that tries to defend his case.
e) I rarely use the term *nonsense* for other people I find it kind of rude, 
offensive and aggressive.


So the actual rule used for 3.4.8 is:

#--------------------------------

DNAT    loc:$LOCIF:!+net_direct,+noproxyhosts,+abusers  dmz:$SQSRV:$PROXYPORT   
 tcp     80      -      !+no_squid_hosts,+no_squid_nets

#--------------------------------

The variables used are self-explanatory

while

Shorewall version
3.4.8

Shorewall show nat
 
indicates in the segment of interest

Chain excl_9 (1 references)

 pkts bytes target     prot opt in     out     source               destination

 2529  162K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        set net_direct src

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        set noproxyhosts src

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        set abusers src

    1    48 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        set no_squid_hosts dst

    1    52 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        set no_squid_nets dst

12144  641K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:10.0.173.5:3128

The rule is tested and it works ok So far.

--------------------------------------------------------------------------------------------------------------
If wished I can provide a shorewall dump.
Other than that
I rest my case and speek no more.



Regards
Harry

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users