Robin Lynn Frank wrote:> I have an entire /8 blacklisted. The problem is there is a single IP in > it I want to exempt from this. Searching the web site, I note there > used to be (circa version 1.3) a whitelist feature, but I couldn''t find > a simple solution to what I want to do. > > What would be the bes/easiest way to accomplish this?I can''t think of a good way to do what you are asking. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Robin Lynn Frank wrote:> On Sun, 2005-04-10 at 13:45, Tom Eastep wrote: > >>Robin Lynn Frank wrote: >> >>>I have an entire /8 blacklisted. The problem is there is a single IP in >>>it I want to exempt from this. Searching the web site, I note there >>>used to be (circa version 1.3) a whitelist feature, but I couldn''t find >>>a simple solution to what I want to do. >>> >>>What would be the bes/easiest way to accomplish this? >> >>I can''t think of a good way to do what you are asking. >> >>-Tom > > > I guess it is going to require breaking it down into smaller ranges. > :-(If are running Shorewall 2.2.2 or later and your iptables and kernel support ip address ranges (see the output of "shorewall check"), you can specify two ranges. X.0.0.0-<allowed address minus 1> <allowed address plus one>-X.255.255.255 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Robin Lynn Frank wrote: > >>On Sun, 2005-04-10 at 13:45, Tom Eastep wrote: >> >> >>>Robin Lynn Frank wrote: >>> >>> >>>>I have an entire /8 blacklisted. The problem is there is a single IP in >>>>it I want to exempt from this. Searching the web site, I note there >>>>used to be (circa version 1.3) a whitelist feature, but I couldn''t find >>>>a simple solution to what I want to do. >>>> >>>>What would be the bes/easiest way to accomplish this? >>> >>>I can''t think of a good way to do what you are asking. >>> >>>-Tom >> >> >>I guess it is going to require breaking it down into smaller ranges. >>:-( > > > If are running Shorewall 2.2.2 or later and your iptables and kernel > support ip address ranges (see the output of "shorewall check"), you can > specify two ranges.Alternatively, you can determine the capabilities of your kernel and iptables using the following comand: gateway:~# /usr/share/shorewall/firewall call report_capabilities Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Not available Policy Match: Available Physdev Match: Available IP range Match: Available <============================ Recent Match: Available gateway:~# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Robin Lynn Frank wrote:> On Sun, 2005-04-10 at 13:45, Tom Eastep wrote: > >>Robin Lynn Frank wrote: >> >>>I have an entire /8 blacklisted. The problem is there is a single IP in >>>it I want to exempt from this. Searching the web site, I note there >>>used to be (circa version 1.3) a whitelist feature, but I couldn''t find >>>a simple solution to what I want to do. >>> >>>What would be the bes/easiest way to accomplish this? >> >>I can''t think of a good way to do what you are asking. >> >>-Tom > > > I guess it is going to require breaking it down into smaller ranges. > :-(Shorewall had the swicth ''iprange'' which will let you break any range of addresses up into a minimum number of CIDR blocks. I guess you could feed it the beginning of the /8 block up thru one less than the white-listed address then the addrees plus one up to the end of the range. -- Stephen Carville <stephen@totalflood.com> Unix and Network Admin Nationwide Totalflood 6033 W. Century Blvd Los Angeles, CA 90045 310-342-3602
Apparently Analagous Threads
- firewalld: whitelisting/blacklisting addresses allowed to connect to a service/port with ipset
- [OT but please read] ORBS blacklisting ns1.samba.org
- Netfilter fails to filter traffic from a netblock?
- Netfilter fails to filter traffic from a netblock?
- Netfilter fails to filter traffic from a netblock?