Hi, Regarding my previous post, geoip actually seems to be working with:
DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all in *most cases*... which means that some packets do arrive to the underlying IPS system via NFQUEUE. The IPS also has a geo-ip rule with the SAME negated set of countries. The weird thing is that I see the IPS logging geoip drops when Shorewall&xtables-addons should have already dropped them all. Some (few) seem to slip through... I read somewhere that iptables/geoip can accept only up to 10 country codes for each rule. I might be on the edge here and may need to split this into multiple rules. Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
