Shorewall users - Jan 2005 - Specify rule bypass by domain with wildcards?

I have a rule setup to transparently proxy all normal web traffic
through Dan''s Guardian for filtering.
However, there are a few sites that simply do not work right through a
transparent proxy.
The biggest of these is yahoo mail.
Most sites are not a problem to add to the exemption list.
Yahoo, however, apparently uses many servers for the webmail system.
There is the main server mail.yahoo.com, and then there are other
servers named us.f(some number here).mail.yahoo.com.
The two in my list currently are us.f504 and us.f522.

Is there a way to specify the address to bypass using either an ip block
notation (both of the us.f? address there are in the 206.190.* block) or
domain with wildards (us.f*.mail.yahoo.com)?

Here is my current section:
(hmm.  after looking at that I realize that I just answered my own
question about using an IP block notation.  hehe.  But the question
about using actual names still stands [that would be a bit more precise 
than opening up the whole 206.190.* block].)

------------------------------------------------------
#Transparent proxy setup
#Let room machine and server go direct to the net.
#Redirect all port 80 traffic to the proxy except
#                              
#requests to our lan (duh)
#
#(sites that don''t play well with transparent proxying)
#requests to weaponmasters.com
#requests to swordsonline.com
#requests to mail.yahoo.com
#requests to us.f504.mail.yahoo.com
#requests to us.f522.mail.yahoo.com

ACCEPT+  loc:192.168.100.11     net     tcp     www
ACCEPT+  loc:192.168.100.10     net     tcp     www

#Redirect Using Tproxy (required if privoxy in the transparent chain)
#REDIRECT loc   81      tcp     www     -       !
192.168.100.0/24,207.44.178.235,207.44.178.111,216.109.127.60,206.190.38.76,206.190.39.95

#Redirect Using Dansguardian (works if privoxy not in transparent chain)
REDIRECT loc    8080    tcp     www     -       !
192.168.100.0/24,207.44.178.235,207.44.178.111,216.109.127.60,206.190.38.76,206.190.39.95

ACCEPT   fw     net     tcp     www
-----------------------------------------------------------

Thanks.

Mark II

Mark D. Montgomery II wrote:
> But the question
> about using actual names still stands [that would be a bit more precise 
> than opening up the whole 206.190.* block].)
The iptables utility does not support any form of wildcarding in DNS
names and Shorewall passes those names unmodified to iptables.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2005-01-19 at 15:56 -0800, Tom Eastep wrote:
> Mark D. Montgomery II wrote:
> 
> > But the question
> > about using actual names still stands [that would be a bit more
precise
> > than opening up the whole 206.190.* block].)
> 
> The iptables utility does not support any form of wildcarding in DNS
> names and Shorewall passes those names unmodified to iptables.
> 
Oh well.
I kinda figured that but thought I''d ask anyhow just in case.
Thanks.
:)

> -Tom
Mark II