Re: [Shorewall-users] ipsets in dest column ( NO HTML )

Wed, 27 Apr 2011 23:34:44 -0700 

> On Apr 27, 2011, at 2:25 PM, Mr Dash Four<[email protected]>  wrote:
>
>>> This is not a Shorewall restriction but is rather a restriction of ipsets
>>>
>>>> while on an old system with shorewall 3.4.8 on it it passes OK.
>>>>
>> Can you read?
>>
> I can read fine. But the OPs assertion that this worked in Shorewall 3 is 
> nonsense. The syntax shown in his rule wasn't introduced until Shorewall 
> 4.4.14.
>
> -Tom
( Sorry for the previous HTML message )

Tom,
a) I am sorry about the syntax simplification ( I always try to express myself 
in a *non-nonsense* manner ).
b) I know that It is Introduced in 4.4.14 ( I read the list for a decade almost 
).
c) I've stated that this rule *passes*. Well I am sorry I should have stated 
*"The similar rule passes"*.
d) I am *not* a law professional that tries to defend his case.
e) I rarely use the term *nonsense* for other people I find it kind of rude, 
offensive and aggressive.


So the actual rule used for 3.4.8 is:

#--------------------------------

DNAT    loc:$LOCIF:!+net_direct,+noproxyhosts,+abusers  dmz:$SQSRV:$PROXYPORT   
 tcp     80      -      !+no_squid_hosts,+no_squid_nets

#--------------------------------

The variables used are self-explanatory

while

Shorewall version
3.4.8

Shorewall show nat
  
indicates in the segment of interest

Chain excl_9 (1 references)
  pkts bytes target     prot opt in     out     source               destination
  2529  162K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         set net_direct src
     0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         set noproxyhosts src
     0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         set abusers src
     1    48 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         set no_squid_hosts dst
     1    52 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         set no_squid_nets dst
13506  711K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:10.0.173.5:3128
  
--------------------------------------------------------------------------------------------------------------

The rule is tested and it works ok So far.
If wished I can provide a shorewall dump.
Other than that
I rest my case and speek no more.

Regards
Harry

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to