On 4/10/19 9:40 AM, Vieri Di Paola wrote: > Hi, > > I'm getting the following error on an ADD action in the rules file: > > ERROR: An inverted port list may only have up to 15 ports > > This is my ADD rule: > > ADD(POL_BL:src):info:polbl,add2polbl > net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL all tcp,udp - > !80,443,4443,25,3389,33891,1935,8008,8080,59100,33892,61196,61197,61198,62003 > > Any ideas how I can write more than one ADD rule so I can use more > than 15 ports? > I need to add the SRC IP addr. to an ipset only if the port is not in my list. > I don't know if a port range only counts as 1 entry -- haven't tried > that yet. Still, I might need to add even more entries without > defining ranges. > > Should I use a bitmap:port ipset instead? eg. create a bitmap:port > ipset named POL_BL_EXCL, populate it with my port list and then write > a rule such as: > > ADD(POL_BL:src):info:polbl,add2polbl > net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL all tcp,udp - > !+POL_BL_EXCL >
That is a good solution. Another would be to create an action with multiple leading CONTINUE rules (that together specify the ports that you want to exclude) followed by an ADD rule. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
