On 10/04/2012 12:29 PM, Tom Eastep wrote: > On 10/04/2012 11:48 AM, I.S.C. William wrote: >> >> >> 2012/10/4 Tom Eastep <[email protected] <mailto:[email protected]>> >> >> On 10/04/2012 11:26 AM, I.S.C. William wrote: >> > >> > >> > 2012/10/4 Tom Eastep <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> > >> > On 10/04/2012 10:58 AM, I.S.C. William wrote: >> > > Variable PARAMS file does not work. >> > > >> > > Within the file "params" >> > > >> > > *MAC_LAN*: >> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE >> > > >> > > I have the variable: >> > > >> > > Within the file "rules" this rule. >> > > >> > > REJECT loc:*!MAC_LAN* net tcp 443 >> > > >> > > But it does not work, the parcer can not read the contents >> of the >> > > variable. There's something enabled for this to work? >> > > >> > > I have Shorewall version 4.4.26.1 version >> > >> > params is a shell source file. So it must contain valid shell >> syntax: >> > >> > >> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> > >> > -Tom >> > >> > >> > >> > I corrected the syntax as I said, but I still can not use port 443 to >> > the MAC exept this in PARAMS if I can leave. >> > >> > These are my policies: >> > >> > loc all REJECT info >> > net all DROP info >> > fw all ACCEPT >> > >> > This is my params variable: >> > >> > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> > >> > and my rule this out: >> > >> > REJECT loc:!MAC_LAN net tcp 443 >> > >> > What would be the error? >> >> I think you want: >> >> ACCEPT loc:$MAC_LAN net tcp 443 >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> ok, this is my real problem, I need to block certain LAN equipment to be >> secure Internet sites using port 443. For example: >> >> Open port 443 to all but those who go to the internet sites segment () >> can not access, only those in the list in the variable PARAMS MAC_LIST. >> >> Params file: >> >> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> NET_LIST:"69.171.224.0/19,95.100.128.0/20 >> <http://69.171.224.0/19,95.100.128.0/20>" >> >> rules file: >> >> ACCEPT loc net tcp 443 >> >> REJECT loc:!$MAC_LIST net:$NET_LIST > > You have the rules in the wrong order!
You need *ONE RULE* ACCEPT loc:$MAC_LIST net:$NET_LIST You have a REJECT loc->net policy so anything you don't explicitly ACCEPT will be REJECTED. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
