On Apr 28, 2011, at 3:31 AM, Harry Lachanas <[email protected]> wrote:
>> On Apr 27, 2011, at 2:25 PM, Mr Dash Four<[email protected]> >> wrote: >> >>>> This is not a Shorewall restriction but is rather a restriction of ipsets >>>> >>>>> while on an old system with shorewall 3.4.8 on it it passes OK. >>>>> >>> Can you read? >>> >> I can read fine. But the OPs assertion that this worked in Shorewall 3 is >> nonsense. The syntax shown in his rule wasn't introduced until Shorewall >> 4.4.14. >> >> -Tom > ( Sorry for the previous HTML message ) > > Tom, > a) I am sorry about the syntax simplification ( I always try to express > myself in a *non-nonsense* manner ). > b) I know that It is Introduced in 4.4.14 ( I read the list for a decade > almost ). > c) I've stated that this rule *passes*. Well I am sorry I should have stated > *"The similar rule passes"*. > d) I am *not* a law professional that tries to defend his case. > e) I rarely use the term *nonsense* for other people I find it kind of rude, > offensive and aggressive. > > > So the actual rule used for 3.4.8 is: > > #-------------------------------- > > DNAT loc:$LOCIF:!+net_direct,+noproxyhosts,+abusers dmz:$SQSRV:$PROXYPORT > tcp 80 - !+no_squid_hosts,+no_squid_nets > > #-------------------------------- > > The variables used are self-explanatory > > while > > Shorewall version > 3.4.8 > > Shorewall show nat > indicates in the segment of interest > > Chain excl_9 (1 references) > pkts bytes target prot opt in out source destination > 2529 162K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > set net_direct src > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > set noproxyhosts src > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > set abusers src > 1 48 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > set no_squid_hosts dst > 1 52 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > set no_squid_nets dst > 13506 711K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > to:10.0.173.5:3128 > -------------------------------------------------------------------------------------------------------------- > > The rule is tested and it works ok So far. > If wished I can provide a shorewall dump. > Other than that > I rest my case and speek no more. > I stand humbly corrected and I'll see what I can do about restoring that functionality in Shorewall 4.4.19. -Tom ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
