On 8/16/12 1:35 PM, Aaron St. Pierre wrote: > On Thu, Aug 16, 2012 at 1:13 PM, Tom Eastep <[email protected] > <mailto:[email protected]>> wrote: > > On 08/16/2012 09:39 AM, Tom Eastep wrote: > > > While what you did works fine, there is a more efficient way to > handle this. > > > > Add this entry in /etc/shorewall/actions: > > > > Pings # Handle ping from the net > > > > Create /etc/shorewall/action.Pings with this single rule: > > > > ACCEPT $PINGDOM_PROBE_IPS > > > > Replace your entry in /etc/shorewall/rules with: > > > > Pings net $FW_PUB icmp echo-request > > > > The advantage with this approach is that only pings packets are passed > > through the 30 rules that each compare one source ip address, > while your > > approach requires all new connection requests from the net to pass > > through those rules (unless they have been handled by a rule > earlier in > > the file). > > > > An even more efficient way would be to use an ipset to define the > > Pingdom IP addresses, but unless you are running a quite recent > kernel, > > that requires that you install the xtables-addons package. > > I corrected a couple of typos in the quoted text above. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest in > malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > Hi Tom, > > Thanks a lot for the reply! I'm trying to apply the ipsets method as I > have a recent kernel. I'm running 3.4.2. I've figured out how to create > an ipset with the ipset create command. What I've done is created the > ipset called PINGDOM_PROBE_IPS shown here: > > # ipset list > Name: PINGDOM_PROBE_IPS > Type: hash:ip > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 8284 > References: 0 > Members: > 188.138.118.184 > 188.138.124.110 > > What I don't understand if I can just reference this list directly in > the rules file? In other words is it as simple as: > > Ping(ACCEPT) net:+PINGDOM_PROBE_IPS $FW_PUB > > Thanks again for your help!
It's as simple as that. One more thing though - you should set SAVE_IPSETS=Yes in shorewall.conf and restart Shorewall. Otherwise, your ipset will disappear at the next reboot. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
