What is the earliest version where this would work? REJECT net:64.202.0.0/16 stu all REJECT stu net:64.202.0.0/16 all ACCEPT net:64.202.163.178 stu TCP 443,80 ACCEPT stu net:64.202.163.178 TCP 443,80 I have a stable production system that I will have to upgrade from 1.4.8-1 --where the above starts, but then doesn''t block anything on the /16 ---end--- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Wednesday 14 December 2005 17:21, Grape Daddy wrote:> What is the earliest version where > this would work? > > REJECT net:64.202.0.0/16 stu all > REJECT stu net:64.202.0.0/16 all > ACCEPT net:64.202.163.178 stu TCP 443,80 > ACCEPT stu net:64.202.163.178 TCP 443,80 > > I have a stable production system that > I will have to upgrade from 1.4.8-1 > --where the above starts, but then doesn''t > block anything on the /16 > ---end---I can''t answer this question (And I designed and wrote Shorewall). I find it amazing that you would even ask it. FWIW, I have no reason to believe that it doesn''t work on 1.4.8 but... ... you may wish to consider that the earliest supported release is 2.4.0. And you probably don''t want to upgrade to a .0 release. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Grape Daddy wrote:> What is the earliest version where > this would work? > > REJECT net:64.202.0.0/16 stu all > REJECT stu net:64.202.0.0/16 all > ACCEPT net:64.202.163.178 stu TCP 443,80 > ACCEPT stu net:64.202.163.178 TCP 443,80 > > I have a stable production system that > I will have to upgrade from 1.4.8-1 > --where the above starts, but then doesn''t > block anything on the /16As Tom said, it should work on 1.4.8. My suggestions: - Turn on logging (i.e. REJECT:info or ACCEPT:info at the beginning of the rule). - Check your policies for net2stu & stu2net (turn on logging in them as well). - Run ''shorewall show'' (don''t know if this works on 1.4.8) and see where the packet counters are incrementing. - Upgrade to 3.0.x. :-) - Read the troubleshooting documentation on http://shorewall.net. Tom and others have worked hard to make it as comprehensive and easy-to-read as possible. Question: - Why would you want to allow net2stu at all? Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click