On Sun, 15 May 2011 02:06:12 +0000 [email protected] wrote:
> From: Tom Eastep <[email protected]> > To: Shorewall Users <[email protected]> > Subject: Re: [Shorewall-users] creating pinholes in blacklist and > blackout Date: Sat, 14 May 2011 18:57:47 -0700 > Reply-To: Shorewall Users <[email protected]> > > > On May 14, 2011, at 6:42 PM, Mr Dash Four wrote: > > > Is there a way I could use the above two jump targets in my rules > > file? > > > > The reason is that for some hosts (well, ipset, actually) I would > > like the blacklist/blackout checks to be bypassed. Currently I have > > the following rather ugly hack in "start": > > > > run_iptables -R fw2net 1 -m set ! --match-set whitelist dst -j > > blackout run_iptables -R net2fw 1 -m set ! --match-set whitelist > > src -j blacklst > > > > If there is a way I could do this in the rules file without > > reverting to the above that would be perfect. The idea to my > > "whitelist" is pretty simple - creating pinholes in the > > blacklist/blackout chains for hosts/subnets I trust regardless of > > whether these are blacklisted or not. > > There is no other way to do that. > > -Tom Not sure exactly what you mean by "pinholes" (forgive me if I'm off-base) but one thing you may want to consider is using the "iptreemap" type of ipset. The iptree and iptreemap ipset types are unique in that you can populate it and then selectively remove smaller pieces from it. In other words, you can add a network to it, and then delete a subnet or address of that network, and the ipset will dynamically (and instantaneously) break the previous entry into two parts around the subnet you have removed. In the other (non-tree) ipset types, you can only delete the exact entries you have created. If you put in a network, you can take out that network, but you can't take out just part of it. So, creating a "pinhole" (unless I misunderstood what you mean by it) would require you to delete the network, calculate the subnets that should remain once your "pinhole" is removed, and the add back those subnets. The "tree" type of ipsets takes care of it for you. Example script: (scroll down to the one about iptreemap) http://forums.gentoo.org/viewtopic-t-863121.html
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
