On Wed, 18 May 2011 00:35:16 +0000 [email protected] wrote:
> That isn't really what I am after. here is what happens: > > blacklist > ~~~~~~~~~ > !+whitelist > > shorewall show blackout > ~~~~~~~~~~~~~~~~~~~~~~~ > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set whitelist dst > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ... dst > > That would DROP packets which do not belong to the whitelist set! In > addition, the checks continue to propagate down the chain if there > isn't a match (i.e. the dest IP address matches the whitelist). Not > what I am after at all. I need to bypass all checks > (blacklst/blackout) if there is a whitelist match. You're doing it wrong. Think of it as two clauses: <what_to_block> !<what_to_exclude_from_that> If you're using only ipsets, it would look like this: +blocklist!+whitelist If you have multiple ipsets in your blacklist file, and any of them could contain trusted addresses, then you'd probably want to do oneof the following: a) include the whitelist exclusion with each: +blocklist!+whitelist +redlist!+whitelist +shitlist!+whitelist or; b) combine the ipsets into a setlist, reducing your matching against the ipsets from six to to two netfilter operations: ipset create setlist blacklist size 3 ipset add blacklist blocklist ipset add blacklist redlist ipset add blacklist shitlist then you can use that setlist as a single entry in your blacklist file, with an exclusion clause: +blacklist!whitelist
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
