Răzvan Sandu <razvan.sa...@mobexpert.ro> wrote: > I now have: > > IMAPS/ACCEPT:info net $FW > > > and I want to exclude *two* adddress ranges from the net zone, like in: > > > IMAPS/ACCEPT:info net:!aa.bb.cc.0/24 $FW > ...
As an alternative which would be easier to read/maintain when you get a few more addresses in the list is to put drop rules before the allow rules. Typically if I spot incoming abuse, I just drop all connections - but that's one of those policy decisions that's specific to the organisation/admin. I tend to structure my rules file along the lines of : # Drop nasties DROP net:aa.bb.cc.0/24 $FW DROP ... # Mail SMTP/ACCEPT net $FW ... IMAPS/ACCEPT net $FW # Other permitted traffic types ... Of course, dealing with attacks as they happen is something that "shorewall drop ..." is useful for. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
