> If you're using only ipsets, it would look like this: > > +blocklist!+whitelist > > If you have multiple ipsets in your blacklist file, and any of them > could contain trusted addresses, then you'd probably want to do oneof > the following: > > a) include the whitelist exclusion with each: > > +blocklist!+whitelist > +redlist!+whitelist > +shitlist!+whitelist > > or; > b) combine the ipsets into a setlist, reducing your matching against > the ipsets from six to to two netfilter operations: > > ipset create setlist blacklist size 3 > ipset add blacklist blocklist > ipset add blacklist redlist > ipset add blacklist shitlist > > then you can use that setlist as a single entry in your blacklist file, > with an exclusion clause: > > +blacklist!whitelist > I have indeed multiple blacklist sets and they are split in separate groups for a reason - so that I could track/account how many packets/bytes have been dropped from each group.
Example a) above is quite cumbersome and resource-consuming. Example b) won't give me the information I have gathered previously (otherwise I would have lumped all blacklists together in one massive set and got on with it), so it looks as though there are two possible solutions: 1) new implementation of a whitelist in shorewall; or 2) I stick to my own solution and use the hack I listed in the first post of this thread. ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
