Ihave the following line in the rules list: .
Ihave the following line in the rules list: .
Ihave the following line in the rules list: .
please post in plain-old text, the mailing list seems to like eating html posts :)
On 20 Jun 2005 at 15:16, jeff@palmerfamily.name wrote:> Ihave the following line in the rules list: > > . >Look: this is getting a bit redundant. To not put a blank line followed by a single period followed by another blank line in any email. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 .
How do I configure Shorewall 2.4 to route a resolvable external host address (mail.domain.com) that is passed to an internal mailserver (192.168.1.225) so that the same host name is resolved internally without the user having to change the host name to an IP address when they are on the LAN? -Michael
There should be a thread in the archives of this mailing list named "DNS Name problem with mail server on LAN". Have a look at this. /ben Am 21.06.2005 04:06, Michael Bush schrieb:> How do I configure Shorewall 2.4 to route a resolvable external host > address (mail.domain.com) that is passed to an internal mailserver > (192.168.1.225) so that the same host name is resolved internally > without the user having to change the host name to an IP address when > they are on the LAN? > > > -Michael > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Four things: 1) When you reply to an old message, and try to start a new thread, the headers from the old message are included to keep the reply to the old thread in proper thread sequence. Thus, your message was buried down in the braches of another question. So, please do not reply to a message to start a new thread. It confuses software and annoys people who are using threaded mail clients. 2) Read the FAQ: http://www.shorewall.net/FAQ.htm#faq1d (or something else nearby in the faq) 3) If I did not correctly read your mind, then consider being more detailed when asking a question. 4) Next time you are having trouble, read the documentation, at least the FAQ, because that is usually where documentation-non-readers will find their questions answered. Regards, Alex Martin http://www.rettc.com Michael Bush wrote:> How do I configure Shorewall 2.4 to route a resolvable external host > address (mail.domain.com) that is passed to an internal mailserver > (192.168.1.225) so that the same host name is resolved internally > without the user having to change the host name to an IP address when > they are on the LAN? > > > -Michael > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Thanks! Alex Martin wrote:> Four things: > > 1) When you reply to an old message, and try to start a new thread, the > headers from the old message are included to keep the reply to the old > thread in proper thread sequence. Thus, your message was buried down in > the braches of another question. So, please do not reply to a message to > start a new thread. It confuses software and annoys people who are using > threaded mail clients. > > 2) Read the FAQ: http://www.shorewall.net/FAQ.htm#faq1d (or something > else nearby in the faq) > > 3) If I did not correctly read your mind, then consider being more > detailed when asking a question. > > 4) Next time you are having trouble, read the documentation, at least > the FAQ, because that is usually where documentation-non-readers will > find their questions answered. > > Regards, > > Alex Martin > http://www.rettc.com > > > Michael Bush wrote: > >> How do I configure Shorewall 2.4 to route a resolvable external host >> address (mail.domain.com) that is passed to an internal mailserver >> (192.168.1.225) so that the same host name is resolved internally >> without the user having to change the host name to an IP address when >> they are on the LAN? >> >> >> -Michael >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Michael Bush wrote:> Thanks! > > Alex Martin wrote: > >> Four things: >> >> 1) When you reply to an old message, and try to start a new thread, >> the headers from the old message are included to keep the reply to the >> old thread in proper thread sequence. Thus, your message was buried >> down in the braches of another question. So, please do not reply to a >> message to start a new thread. It confuses software and annoys people >> who are using threaded mail clients. >> >> 2) Read the FAQ: http://www.shorewall.net/FAQ.htm#faq1d (or >> something else nearby in the faq) >> >> 3) If I did not correctly read your mind, then consider being more >> detailed when asking a question. >> >> 4) Next time you are having trouble, read the documentation, at least >> the FAQ, because that is usually where documentation-non-readers will >> find their questions answered.5) Read this: http://www.netmeister.org/news/learn2quote.html -- Paul <http://paulgear.webhop.net> -- Did you know? Email is not private and can be viewed by your ISP, the recipient''s ISP, and possibly other parties. You can make sure your emails are private by using GNU Privacy Guard <http://www.gnupg.org> and an email plug-in like Enigmail <http://enigmail.mozdev.org>.
I have the following line in the rules file: DROP net:211.171.0.0/10 $FW all It is my understanding that this should block the range 211.171.0.0-211.235.255.255, yet I connections from within this range. The default policy is to drop all outside connections unless otherwise specified. A line specifying allowed outside connections is much further down the list. Shorewall v2.4.0 under Mandrake 10.1 running on a quad Xeon system. I can post Shorewall Show, if necessary, but it''s rather large. Sorry about the previous post. I had 3 lines with a single period followed by the rule and then 3 lines with a single period.
Am 21.06.2005 16:52, jeff@palmerfamily.name schrieb:>I have the following line in the rules file: > >DROP net:211.171.0.0/10 $FW all > >It is my understanding that this should block the range 211.171.0.0-211.235.255.255, yet I connections from within this range. > >Do you have a local zone behind the firewall, and are the connections to these clients? Just a guess: this rule drops all connections from net:211... to the firewall, but not to the clients behind the firewall. For that, you need to specify: DROP net:211.171.0.0/10 loc all where loc is the name of your local zone. Note also that shorewall does not affect already exiting connections when starting. /ben
Am 21.06.2005 17:11, Ben Greiner schrieb:> Note also that shorewall does not affect already exiting connections > when starting.Should be "existing connections" ... /ben
> Am 21.06.2005 16:52, jeff@palmerfamily.name schrieb: > > >I have the following line in the rules file: > > > >DROP net:211.171.0.0/10 $FW all > > > >It is my understanding that this should block the range211.171.0.0-211.235.255.255, yet I connections from within this range.> > > > > Do you have a local zone behind the firewall, and are the connections to > these clients? > > Just a guess: this rule drops all connections from net:211... to the > firewall, but not to the clients behind the firewall. For that, you need > to specify: > > DROP net:211.171.0.0/10 loc all > > where loc is the name of your local zone. > Note also that shorewall does not affect already exiting connections > when starting. > > /ben >To cover both $FW and loc (and all other zones) with a single rule, you could use: DROP net:211.171.0.0/10 all all Jerry
Jerry Vonau wrote ..> > > > Am 21.06.2005 16:52, jeff@palmerfamily.name schrieb: > > > > >I have the following line in the rules file: > > > > > >DROP net:211.171.0.0/10 $FW all > > > > > >It is my understanding that this should block the range > 211.171.0.0-211.235.255.255, yet I connections from within this range. > > > > > > > > Do you have a local zone behind the firewall, and are the connections > to > > these clients? > > > > Just a guess: this rule drops all connections from net:211... to the > > firewall, but not to the clients behind the firewall. For that, you need > > to specify: > > > > DROP net:211.171.0.0/10 loc all > > > > where loc is the name of your local zone. > > Note also that shorewall does not affect already exiting connections > > when starting. > > > > /ben > > > > To cover both $FW and loc (and all other zones) with a single rule, > you could use: > DROP net:211.171.0.0/10 all all > > JerryThese are outside initiated connections. I have other rules set up exactly the same that work fine, it''s just this one. From the responses, it appears I have the address notion correct. What else could be the problem?
> Jerry Vonau wrote .. > > > > > > > Am 21.06.2005 16:52, jeff@palmerfamily.name schrieb: > > > > > > >I have the following line in the rules file: > > > > > > > >DROP net:211.171.0.0/10 $FW all > > > > > > > >It is my understanding that this should block the range > > 211.171.0.0-211.235.255.255, yet I connections from within this range. > > > > > > > > > > > Do you have a local zone behind the firewall, and are the connections > > to > > > these clients? > > > > > > Just a guess: this rule drops all connections from net:211... to the > > > firewall, but not to the clients behind the firewall. For that, youneed> > > to specify: > > > > > > DROP net:211.171.0.0/10 loc all > > > > > > where loc is the name of your local zone. > > > Note also that shorewall does not affect already exiting connections > > > when starting. > > > > > > /ben > > > > > > > To cover both $FW and loc (and all other zones) with a single rule, > > you could use: > > DROP net:211.171.0.0/10 all all > > > > Jerry > > These are outside initiated connections. I have other rules set upexactly the same that work fine, it''s just this one. From the responses, it appears I have the address notion correct. What else could be the problem?>I''ll bet what you seeing is < 211.192.0.0. using the online calculator at: http://jodies.de/ipcalc?host=211.171.0.0&mask1=10&mask2 /10 covers 211.171.0.0-211.191.255.255 /9 covers 211.171.0.0-211.255.255.255 which goes past your target of 211.235.255.255 You''ll need to add the missing net blocks to cover 211.192.0.0-211.235.255.255 Jerry
2005/6/21, jeff@palmerfamily.name <jeff@palmerfamily.name>:> I have the following line in the rules file: > > DROP net:211.171.0.0/10 $FW all > > It is my understanding that this should block the range 211.171.0.0-211.235.255.255, yet I connections from within this range. > > The default policy is to drop all outside connections unless otherwise specified. A line specifying allowed outside connections is much further down the list. Shorewall v2.4.0 under Mandrake 10.1 running on a quad Xeon system. I can post Shorewall Show, if necessary, but it''s rather large. > > Sorry about the previous post. I had 3 lines with a single period followed by the rule and then 3 lines with a single period. > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >dis you try using the blacklist option? http://www.shorewall.net/blacklisting_support.htm
> > Jerry Vonau wrote .. > > > > > > > > > > Am 21.06.2005 16:52, jeff@palmerfamily.name schrieb: > > > > > > > > >I have the following line in the rules file: > > > > > > > > > >DROP net:211.171.0.0/10 $FW all > > > > > > > > > >It is my understanding that this should block the range > > > 211.171.0.0-211.235.255.255, yet I connections from within thisrange.> > > > > > > > > > > > > > Do you have a local zone behind the firewall, and are theconnections> > > to > > > > these clients? > > > > > > > > Just a guess: this rule drops all connections from net:211... tothe> > > > firewall, but not to the clients behind the firewall. For that, you > need > > > > to specify: > > > > > > > > DROP net:211.171.0.0/10 loc all > > > > > > > > where loc is the name of your local zone. > > > > Note also that shorewall does not affect already exitingconnections> > > > when starting. > > > > > > > > /ben > > > > > > > > > > To cover both $FW and loc (and all other zones) with a single rule, > > > you could use: > > > DROP net:211.171.0.0/10 all all > > > > > > Jerry > > > > These are outside initiated connections. I have other rules set up > exactly the same that work fine, it''s just this one. From the responses, > it appears I have the address notion correct. What else could be the > problem? > > > > I''ll bet what you seeing is < 211.192.0.0. > > using the online calculator at: > http://jodies.de/ipcalc?host=211.171.0.0&mask1=10&mask2> > /10 covers 211.171.0.0-211.191.255.255 > > /9 covers 211.171.0.0-211.255.255.255 > which goes past your target of 211.235.255.255 > > You''ll need to add the missing net blocks to cover > 211.192.0.0-211.235.255.255 > > Jerry >Well I messed that up. (hanging head) After a elbow in the ribs (thanks Tom), shorewall has some very good built in tools, that I totally forgot about. /sbin/shorewall ipcalc /sbin/shorewall range /sbin/shorewall will give you the correct syntax to use. [root@shore jerry]# /sbin/shorewall ipcalc 211.171.0.0/10 CIDR=211.171.0.0/10 NETMASK=255.192.0.0 NETWORK=211.128.0.0 BROADCAST=211.191.255.255 Now to calculate what is not covered: [root@shore jerry]# /sbin/shorewall iprange 211.192.0.0-211.235.255.255 211.192.0.0/11 211.224.0.0/13 211.232.0.0/14 I don''t block such a large range, but using a /10 as a starting point may not be the best layout. You may be blocking address between 211.128.0.0 and 211.170.255.255, better to use smaller netblocks that only deal with what you want to cover. [root@jerry1 jerry]# /sbin/shorewall iprange 211.171.0.0-211.235.255.255 211.171.0.0/16 211.172.0.0/14 211.176.0.0/12 211.192.0.0/11 211.224.0.0/13 211.232.0.0/14 Jerry
> Well I messed that up. (hanging head) After a elbow in the ribs > (thanks Tom), shorewall has some very good built in tools, that > I totally forgot about. > > /sbin/shorewall ipcalc > /sbin/shorewall range > > /sbin/shorewall will give you the correct syntax to use. > > [root@shore jerry]# /sbin/shorewall ipcalc 211.171.0.0/10 > CIDR=211.171.0.0/10 > NETMASK=255.192.0.0 > NETWORK=211.128.0.0 > BROADCAST=211.191.255.255 > > Now to calculate what is not covered: > [root@shore jerry]# /sbin/shorewall iprange 211.192.0.0-211.235.255.255 > 211.192.0.0/11 > 211.224.0.0/13 > 211.232.0.0/14 > > I don''t block such a large range, but using a /10 as a starting point may > not be > the best layout. You may be blocking address between 211.128.0.0 and > 211.170.255.255, better to use smaller netblocks that only deal with what > you want to cover. > > [root@jerry1 jerry]# /sbin/shorewall iprange 211.171.0.0-211.235.255.255 > 211.171.0.0/16 > 211.172.0.0/14 > 211.176.0.0/12 > 211.192.0.0/11 > 211.224.0.0/13 > 211.232.0.0/14 > > JerryWell, there you go! Thank you so much. Now if you''ll excuse me, I''m going to have a very long list of IP address to check! Again, thank you so very much!