Hi, I've created ipsets to filter outgoing connections with shorewall.
I ran this: ipset create OUT_WL hash:net timeout 0 and added networks to it. For instance, for "LocalTel Communications": 63.135.48.0/20 63.142.208.0/20 66.172.96.0/19 96.46.16.0/20 173.209.160.0/20 199.36.88.0/21 199.244.28.0/22 206.130.128.0/20 On the shorewall firewall the policy is to drop everything from LAN to Internet and allow outgoing HTTP/S traffic (web browsing) for all but ONLY if the DST address is in an ipset (OUT_WL). These are the rules: ACCEPT loc:10.215.144.0/22 net1:+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22 net2:+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22 net3:+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22 net4:+OUT_WL,+OUT_MANUAL_WL all I'm trying to access www.shorewall.net on port 80 (63.135.54.24) from a LAN host behind Shorewall (10.215.144.48). It's not working even though I'm expecting it should because 63.135.48.0/20 is within the ipset. I'm attaching a shorewall dump while trying to connect from 10.215.144.48 to 63.135.54.24:80. Are hash:net ipsets unsupported? Thanks, Vieri
dump.gz
Description: application/gzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
