>>> Seems like that is what an exclusion list in the blacklist file does. >>> >>> >> Is this currently implemented as I am not aware of such functionality in >> blacklist? >> >> > > Yes -- it's supported. I've updated the on-line manages to mention that > capability. > That isn't really what I am after. here is what happens:
blacklist ~~~~~~~~~ !+whitelist shorewall show blackout ~~~~~~~~~~~~~~~~~~~~~~~ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set whitelist dst 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ... dst That would DROP packets which do not belong to the whitelist set! In addition, the checks continue to propagate down the chain if there isn't a match (i.e. the dest IP address matches the whitelist). Not what I am after at all. I need to bypass all checks (blacklst/blackout) if there is a whitelist match. ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
