How does one go about preventing shorewall in a 2 nic setup block outgoing connections to certain ip''s from being nat''ed? Thanks! jlc ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Joseph L. Casale wrote:> How does one go about preventing shorewall in a 2 nic > setup block outgoing connections to certain ip''s from > being nat''ed?What exactly are you trying to accomplish? If you are trying to use the lack of masquerading as a filtering mechanism, I strongly recommend just using REJECT rules instead. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>What exactly are you trying to accomplish? If you are trying to use the lack of masquerading as a filtering mechanism, I strongly recommend just using REJECT rules instead. > >-TomI just want to make sure clients that use shorewall as their gateway to masq outbound traffic can''t get to a list of ip''s. Thanks! jlc ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Joseph L. Casale wrote:>> What exactly are you trying to accomplish? If you are trying to use the lack of masquerading as a filtering mechanism, I strongly recommend just using REJECT rules instead. >> >> -Tom > > I just want to make sure clients that use shorewall as their > gateway to masq outbound traffic can''t get to a list of ip''s.Then forget your masq approach. Shorewall has always been and will continue to be about keeping the bad guys out, not keeping the prisoners in. A much better approach to that is to use Shorewall to disallow loc->net http traffic, implement a transparent proxy and then use squid squid and/or dansguardian to police your users'' web access. That way, you can express your repressive policies using domain names, URLs and content categories rather than chasing your tail with IP addresses. And if you really want to prevent a group of users from accessing a set of IP addresses, REJECT rules are the way to go. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Joseph L. Casale wrote: >>> What exactly are you trying to accomplish? If you are trying to use >>> the lack of masquerading as a filtering mechanism, I strongly >>> recommend just using REJECT rules instead. >>> >>> -Tom >> >> I just want to make sure clients that use shorewall as their >> gateway to masq outbound traffic can''t get to a list of ip''s. > > Then forget your masq approach.Another alternative is to only masq the addresses you specifically want to allow. You can put something like this in your masq file: eth1 $MY_IPS and define MY_IPS in params as: MY_IPS=192.168.0.0/24 This will mean that only those addresses are allowed to masq out through your firewall. Everything else must be either routed with a routable address, or handled by a specific rule (e.g. DNAT, REDIRECT). When i managed a school network, i set up my firewall so that even if the client machines got past the packet filtering rules, they would not get any traffic out to the Internet because their addresses were not in the NAT list. Only servers & sysadmin workstations were allowed to do NAT. Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/