Hello I got about 20 different people using 20 different PC''s in my Lan. Five of them should have unrestricted access to the internet any time of the day. Yet the rest of them should only have access at certain timeframes during the day. Two of them should have no access at all. I am well experienced in writing rules (for the rules file) that make all this possible, yet i was wondering if there is a way to group these people in named groups - therefore i would have to type rules for groups, not individual hosts. I came upon a page speaking of user sets, but i am not sure if this is what i need or how to implement it. Furthermore it seemed to discuss issues of older shorewall versions - i am using the very latest one (downloaded this very day). Any help is more than welcome. Panos Katergiathis Athens-Greece
On Wed, 2004-12-08 at 10:59 +0200, Protocol Webmaster wrote:> Hello > > I got about 20 different people using 20 different PC''s in my Lan. Five > of them should have unrestricted access to the internet any time of the > day. Yet the rest of them should only have access at certain timeframes > during the day. Two of them should have no access at all. > > I am well experienced in writing rules (for the rules file) that make > all this possible, yet i was wondering if there is a way to group these > people in named groups - therefore i would have to type rules for > groups, not individual hosts.Two idea: a) Use shell variables, one per group. b) Use actions together with shell variables. There is an example of this (Mirrors) in my configuration (http://shorewall.net/myfiles.htm).> > I came upon a page speaking of user sets, but i am not sure if this is > what i need or how to implement it. Furthermore it seemed to discuss > issues of older shorewall versions - i am using the very latest one > (downloaded this very day).User sets: a) Only applied to traffic FROM the firewall (not THROUGH the firewall). b) Were very short-lived (late 1.4 series) since similar functionality is available using actions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-08 at 18:41 +0200, Panos Katergiathis wrote:> Hmmm (again). > Then, are you aware of any other iptables frontend that includes such a > feature?Panos -- you can do the same thing with Actions. /etc/shorewall/actions: allowGroup rejectGroup /etc/shorewall/action.allowGroup: ACCEPT - - - - - joe ACCEPT - - - - - fred ... /etc/shorewall/action.rejectGroup REJECT - - - - - joe REJECT - - - - - fred ... /etc/shorewall/rules: allowGroup fw net tcp 80 ... Again though, this ONLY APPLIES TO TRAFFIC FROM THE FIREWALL. That is the ONLY case where Netfilter knows who the user is. There is nothing in IP that identifies who the client user is (and it couldn''t be believed if there were such a thing). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-08 at 08:51 -0800, Tom Eastep wrote:> On Wed, 2004-12-08 at 18:41 +0200, Panos Katergiathis wrote: > > Hmmm (again). > > Then, are you aware of any other iptables frontend that includes such a > > feature? > > Panos -- you can do the same thing with Actions. > > /etc/shorewall/actions: > > allowGroup > rejectGroup > > /etc/shorewall/action.allowGroup: > > ACCEPT - - - - - joe > ACCEPT - - - - - fred > ...Correction: The above lines have one too few dashes ("-"). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you for all your help. Panos Tom Eastep wrote:>On Wed, 2004-12-08 at 08:51 -0800, Tom Eastep wrote: > > >>On Wed, 2004-12-08 at 18:41 +0200, Panos Katergiathis wrote: >> >> >>>Hmmm (again). >>>Then, are you aware of any other iptables frontend that includes such a >>>feature? >>> >>> >>Panos -- you can do the same thing with Actions. >> >>/etc/shorewall/actions: >> >>allowGroup >>rejectGroup >> >>/etc/shorewall/action.allowGroup: >> >>ACCEPT - - - - - joe >>ACCEPT - - - - - fred >>... >> >> > >Correction: The above lines have one too few dashes ("-"). > >-Tom > >
Just to make sure that we all understand the same thing, i am including a part of my 13.859 lines "rules" file. ACCEPT loc:192.168.10.1 net:www.screenusa.com all ACCEPT loc:192.168.10.2 net:www.screenusa.com all ACCEPT loc:192.168.10.3 net:www.screenusa.com all ACCEPT loc:192.168.10.4 net:www.screenusa.com all ACCEPT loc:192.168.10.5 net:www.screenusa.com all ACCEPT loc:192.168.10.6 net:www.screenusa.com all ACCEPT loc:192.168.10.7 net:www.screenusa.com all ACCEPT loc:192.168.10.8 net:www.screenusa.com all ACCEPT loc:192.168.10.9 net:www.screenusa.com all ACCEPT loc:192.168.10.10 net:www.screenusa.com all ACCEPT loc:192.168.10.11 net:www.screenusa.com all ACCEPT loc:192.168.10.12 net:www.screenusa.com all ACCEPT loc:192.168.10.13 net:www.screenusa.com all ACCEPT loc:192.168.10.14 net:www.screenusa.com all ACCEPT loc:192.168.10.15 net:www.screenusa.com all ACCEPT loc:192.168.10.16 net:www.screenusa.com all ACCEPT loc:192.168.10.17 net:www.screenusa.com all ACCEPT loc:192.168.10.18 net:www.screenusa.com all ACCEPT loc:192.168.10.19 net:www.screenusa.com all ACCEPT loc:192.168.10.20 net:www.screenusa.com all ACCEPT loc:192.168.10.21 net:www.screenusa.com all ACCEPT loc:192.168.10.22 net:www.screenusa.com all ACCEPT loc:192.168.10.23 net:www.screenusa.com all ACCEPT loc:192.168.10.24 net:www.screenusa.com all ACCEPT loc:192.168.10.25 net:www.screenusa.com all ACCEPT loc:192.168.10.26 net:www.screenusa.com all ACCEPT loc:192.168.10.27 net:www.screenusa.com all ACCEPT loc:192.168.10.28 net:www.screenusa.com all ACCEPT loc:192.168.10.29 net:www.screenusa.com all ACCEPT loc:192.168.10.30 net:www.screenusa.com all ACCEPT loc:192.168.10.31 net:www.screenusa.com all ACCEPT loc:192.168.10.32 net:www.screenusa.com all ACCEPT loc:192.168.10.33 net:www.screenusa.com all ACCEPT loc:192.168.10.34 net:www.screenusa.com all ACCEPT loc:192.168.10.35 net:www.screenusa.com all ACCEPT loc:192.168.10.36 net:www.screenusa.com all ACCEPT loc:192.168.10.37 net:www.screenusa.com all ACCEPT loc:192.168.10.38 net:www.screenusa.com all ACCEPT loc:192.168.10.39 net:www.screenusa.com all ACCEPT loc:192.168.10.40 net:www.screenusa.com all ACCEPT loc:192.168.10.41 net:www.screenusa.com all ACCEPT loc:192.168.10.42 net:www.screenusa.com all ACCEPT loc:192.168.10.43 net:www.screenusa.com all ACCEPT loc:192.168.10.44 net:www.screenusa.com all ACCEPT loc:192.168.10.45 net:www.screenusa.com all ACCEPT loc:192.168.10.46 net:www.screenusa.com all ACCEPT loc:192.168.10.47 net:www.screenusa.com all ACCEPT loc:192.168.10.48 net:www.screenusa.com all ACCEPT loc:192.168.10.49 net:www.screenusa.com all #ACCEPT loc:192.168.10.50 net:www.screenusa.com all ACCEPT loc:192.168.10.51 net:www.screenusa.com all ACCEPT loc:192.168.10.52 net:www.screenusa.com all ACCEPT loc:192.168.10.53 net:www.screenusa.com all ACCEPT loc:192.168.10.54 net:www.screenusa.com all ACCEPT loc:192.168.10.55 net:www.screenusa.com all ACCEPT loc:192.168.10.56 net:www.screenusa.com all ACCEPT loc:192.168.10.57 net:www.screenusa.com all ACCEPT loc:192.168.10.58 net:www.screenusa.com all ACCEPT loc:192.168.10.59 net:www.screenusa.com all ACCEPT loc:192.168.10.60 net:www.screenusa.com all ACCEPT loc:192.168.10.61 net:www.screenusa.com all ACCEPT loc:192.168.10.62 net:www.screenusa.com all ACCEPT loc:192.168.10.63 net:www.screenusa.com all ACCEPT loc:192.168.10.64 net:www.screenusa.com all ACCEPT loc:192.168.10.65 net:www.screenusa.com all ACCEPT loc:192.168.10.66 net:www.screenusa.com all ACCEPT loc:192.168.10.67 net:www.screenusa.com all ACCEPT loc:192.168.10.68 net:www.screenusa.com all ACCEPT loc:192.168.10.69 net:www.screenusa.com all ACCEPT loc:192.168.10.70 net:www.screenusa.com all ACCEPT loc:192.168.10.71 net:www.screenusa.com all ACCEPT loc:192.168.10.72 net:www.screenusa.com all ACCEPT loc:192.168.10.73 net:www.screenusa.com all ACCEPT loc:192.168.10.74 net:www.screenusa.com all ACCEPT loc:192.168.10.75 net:www.screenusa.com all ACCEPT loc:192.168.10.76 net:www.screenusa.com all #ACCEPT loc:192.168.10.77 net:www.screenusa.com all ACCEPT loc:192.168.10.78 net:www.screenusa.com all ACCEPT loc:192.168.10.79 net:www.screenusa.com all ACCEPT loc:192.168.10.80 net:www.screenusa.com all #ACCEPT loc:192.168.10.81 net:www.screenusa.com all #ACCEPT loc:192.168.10.82 net:www.screenusa.com all ACCEPT loc:192.168.10.83 net:www.screenusa.com all ACCEPT loc:192.168.10.84 net:www.screenusa.com all #ACCEPT loc:192.168.10.85 net:www.screenusa.com all ACCEPT loc:192.168.10.86 net:www.screenusa.com all ACCEPT loc:192.168.10.87 net:www.screenusa.com all ACCEPT loc:192.168.10.88 net:www.screenusa.com all ACCEPT loc:192.168.10.89 net:www.screenusa.com all ACCEPT loc:192.168.10.90 net:www.screenusa.com all ACCEPT loc:192.168.10.91 net:www.screenusa.com all ACCEPT loc:192.168.10.92 net:www.screenusa.com all ACCEPT loc:192.168.10.93 net:www.screenusa.com all ACCEPT loc:192.168.10.94 net:www.screenusa.com all ACCEPT loc:192.168.10.95 net:www.screenusa.com all ACCEPT loc:192.168.10.96 net:www.screenusa.com all ACCEPT loc:192.168.10.97 net:www.screenusa.com all ACCEPT loc:192.168.10.98 net:www.screenusa.com all ACCEPT loc:192.168.10.99 net:www.screenusa.com all ACCEPT loc:192.168.10.100 net:www.screenusa.com all ACCEPT loc:192.168.10.101 net:www.screenusa.com all ACCEPT loc:192.168.10.102 net:www.screenusa.com all ACCEPT loc:192.168.10.103 net:www.screenusa.com all ACCEPT loc:192.168.10.104 net:www.screenusa.com all ACCEPT loc:192.168.10.105 net:www.screenusa.com all ACCEPT loc:192.168.10.106 net:www.screenusa.com all ACCEPT loc:192.168.10.107 net:www.screenusa.com all ACCEPT loc:192.168.10.108 net:www.screenusa.com all ACCEPT loc:192.168.10.109 net:www.screenusa.com all ACCEPT loc:192.168.10.110 net:www.screenusa.com all ACCEPT loc:192.168.10.111 net:www.screenusa.com all ACCEPT loc:192.168.10.112 net:www.screenusa.com all ACCEPT loc:192.168.10.113 net:www.screenusa.com all ACCEPT loc:192.168.10.114 net:www.screenusa.com all ACCEPT loc:192.168.10.115 net:www.screenusa.com all ACCEPT loc:192.168.10.116 net:www.screenusa.com all ACCEPT loc:192.168.10.117 net:www.screenusa.com all ACCEPT loc:192.168.10.118 net:www.screenusa.com all ACCEPT loc:192.168.10.119 net:www.screenusa.com all ACCEPT loc:192.168.10.120 net:www.screenusa.com all ACCEPT loc:192.168.10.121 net:www.screenusa.com all ACCEPT loc:192.168.10.122 net:www.screenusa.com all ACCEPT loc:192.168.10.123 net:www.screenusa.com all ACCEPT loc:192.168.10.124 net:www.screenusa.com all ACCEPT loc:192.168.10.125 net:www.screenusa.com all ACCEPT loc:192.168.10.126 net:www.screenusa.com all ACCEPT loc:192.168.10.127 net:www.screenusa.com all ACCEPT loc:192.168.10.128 net:www.screenusa.com all ACCEPT loc:192.168.10.129 net:www.screenusa.com all ACCEPT loc:192.168.10.130 net:www.screenusa.com all ACCEPT loc:192.168.10.131 net:www.screenusa.com all ACCEPT loc:192.168.10.132 net:www.screenusa.com all ACCEPT loc:192.168.10.133 net:www.screenusa.com all ACCEPT loc:192.168.10.134 net:www.screenusa.com all ACCEPT loc:192.168.10.135 net:www.screenusa.com all ACCEPT loc:192.168.10.136 net:www.screenusa.com all ACCEPT loc:192.168.10.137 net:www.screenusa.com all ACCEPT loc:192.168.10.138 net:www.screenusa.com all ACCEPT loc:192.168.10.139 net:www.screenusa.com all ACCEPT loc:192.168.10.140 net:www.screenusa.com all ACCEPT loc:192.168.10.141 net:www.screenusa.com all ACCEPT loc:192.168.10.142 net:www.screenusa.com all ACCEPT loc:192.168.10.143 net:www.screenusa.com all ACCEPT loc:192.168.10.144 net:www.screenusa.com all ACCEPT loc:192.168.10.145 net:www.screenusa.com all ACCEPT loc:192.168.10.146 net:www.screenusa.com all ACCEPT loc:192.168.10.147 net:www.screenusa.com all ACCEPT loc:192.168.10.148 net:www.screenusa.com all ACCEPT loc:192.168.10.149 net:www.screenusa.com all ACCEPT loc:192.168.10.150 net:www.screenusa.com all ACCEPT loc:192.168.10.151 net:www.screenusa.com all ACCEPT loc:192.168.10.152 net:www.screenusa.com all ACCEPT loc:192.168.10.153 net:www.screenusa.com all ACCEPT loc:192.168.10.154 net:www.screenusa.com all ACCEPT loc:192.168.10.155 net:www.screenusa.com all ACCEPT loc:192.168.10.156 net:www.screenusa.com all ACCEPT loc:192.168.10.157 net:www.screenusa.com all ACCEPT loc:192.168.10.158 net:www.screenusa.com all ACCEPT loc:192.168.10.159 net:www.screenusa.com all ACCEPT loc:192.168.10.160 net:www.screenusa.com all ACCEPT loc:192.168.10.161 net:www.screenusa.com all ACCEPT loc:192.168.10.162 net:www.screenusa.com all ACCEPT loc:192.168.10.163 net:www.screenusa.com all ACCEPT loc:192.168.10.164 net:www.screenusa.com all ACCEPT loc:192.168.10.165 net:www.screenusa.com all ACCEPT loc:192.168.10.166 net:www.screenusa.com all ACCEPT loc:192.168.10.167 net:www.screenusa.com all ACCEPT loc:192.168.10.168 net:www.screenusa.com all ACCEPT loc:192.168.10.169 net:www.screenusa.com all ACCEPT loc:192.168.10.170 net:www.screenusa.com all ACCEPT loc:192.168.10.171 net:www.screenusa.com all ACCEPT loc:192.168.10.172 net:www.screenusa.com all ACCEPT loc:192.168.10.173 net:www.screenusa.com all ACCEPT loc:192.168.10.174 net:www.screenusa.com all ACCEPT loc:192.168.10.175 net:www.screenusa.com all ACCEPT loc:192.168.10.176 net:www.screenusa.com all ACCEPT loc:192.168.10.177 net:www.screenusa.com all ACCEPT loc:192.168.10.178 net:www.screenusa.com all ACCEPT loc:192.168.10.179 net:www.screenusa.com all ACCEPT loc:192.168.10.180 net:www.screenusa.com all ACCEPT loc:192.168.10.181 net:www.screenusa.com all ACCEPT loc:192.168.10.182 net:www.screenusa.com all ACCEPT loc:192.168.10.183 net:www.screenusa.com all ACCEPT loc:192.168.10.184 net:www.screenusa.com all ACCEPT loc:192.168.10.185 net:www.screenusa.com all ACCEPT loc:192.168.10.186 net:www.screenusa.com all ACCEPT loc:192.168.10.187 net:www.screenusa.com all ACCEPT loc:192.168.10.188 net:www.screenusa.com all ACCEPT loc:192.168.10.189 net:www.screenusa.com all ACCEPT loc:192.168.10.190 net:www.screenusa.com all ACCEPT loc:192.168.10.191 net:www.screenusa.com all ACCEPT loc:192.168.10.192 net:www.screenusa.com all ACCEPT loc:192.168.10.193 net:www.screenusa.com all ACCEPT loc:192.168.10.194 net:www.screenusa.com all ACCEPT loc:192.168.10.195 net:www.screenusa.com all ACCEPT loc:192.168.10.196 net:www.screenusa.com all ACCEPT loc:192.168.10.197 net:www.screenusa.com all ACCEPT loc:192.168.10.198 net:www.screenusa.com all ACCEPT loc:192.168.10.199 net:www.screenusa.com all ACCEPT loc:192.168.10.200 net:www.screenusa.com all ACCEPT loc:192.168.10.201 net:www.screenusa.com all ACCEPT loc:192.168.10.202 net:www.screenusa.com all ACCEPT loc:192.168.10.203 net:www.screenusa.com all ACCEPT loc:192.168.10.204 net:www.screenusa.com all ACCEPT loc:192.168.10.205 net:www.screenusa.com all ACCEPT loc:192.168.10.206 net:www.screenusa.com all ACCEPT loc:192.168.10.207 net:www.screenusa.com all ACCEPT loc:192.168.10.208 net:www.screenusa.com all ACCEPT loc:192.168.10.209 net:www.screenusa.com all ACCEPT loc:192.168.10.210 net:www.screenusa.com all ACCEPT loc:192.168.10.211 net:www.screenusa.com all ACCEPT loc:192.168.10.212 net:www.screenusa.com all ACCEPT loc:192.168.10.213 net:www.screenusa.com all ACCEPT loc:192.168.10.214 net:www.screenusa.com all ACCEPT loc:192.168.10.215 net:www.screenusa.com all ACCEPT loc:192.168.10.216 net:www.screenusa.com all ACCEPT loc:192.168.10.217 net:www.screenusa.com all ACCEPT loc:192.168.10.218 net:www.screenusa.com all ACCEPT loc:192.168.10.219 net:www.screenusa.com all ACCEPT loc:192.168.10.220 net:www.screenusa.com all ACCEPT loc:192.168.10.221 net:www.screenusa.com all ACCEPT loc:192.168.10.222 net:www.screenusa.com all ACCEPT loc:192.168.10.223 net:www.screenusa.com all ACCEPT loc:192.168.10.224 net:www.screenusa.com all ACCEPT loc:192.168.10.225 net:www.screenusa.com all ACCEPT loc:192.168.10.226 net:www.screenusa.com all #ACCEPT loc:192.168.10.227 net:www.screenusa.com all ACCEPT loc:192.168.10.228 net:www.screenusa.com all ACCEPT loc:192.168.10.229 net:www.screenusa.com all ACCEPT loc:192.168.10.230 net:www.screenusa.com all ACCEPT loc:192.168.10.231 net:www.screenusa.com all ACCEPT loc:192.168.10.232 net:www.screenusa.com all ACCEPT loc:192.168.10.233 net:www.screenusa.com all ACCEPT loc:192.168.10.234 net:www.screenusa.com all ACCEPT loc:192.168.10.235 net:www.screenusa.com all ACCEPT loc:192.168.10.236 net:www.screenusa.com all ACCEPT loc:192.168.10.237 net:www.screenusa.com all ACCEPT loc:192.168.10.238 net:www.screenusa.com all ACCEPT loc:192.168.10.239 net:www.screenusa.com all ACCEPT loc:192.168.10.240 net:www.screenusa.com all ACCEPT loc:192.168.10.241 net:www.screenusa.com all ACCEPT loc:192.168.10.242 net:www.screenusa.com all ACCEPT loc:192.168.10.243 net:www.screenusa.com all ACCEPT loc:192.168.10.244 net:www.screenusa.com all ACCEPT loc:192.168.10.245 net:www.screenusa.com all ACCEPT loc:192.168.10.246 net:www.screenusa.com all ACCEPT loc:192.168.10.247 net:www.screenusa.com all ACCEPT loc:192.168.10.248 net:www.screenusa.com all ACCEPT loc:192.168.10.249 net:www.screenusa.com all ACCEPT loc:192.168.10.250 net:www.screenusa.com all ACCEPT loc:192.168.10.251 net:www.screenusa.com all ACCEPT loc:192.168.10.252 net:www.screenusa.com all ACCEPT loc:192.168.10.253 net:www.screenusa.com all ACCEPT loc:192.168.10.254 net:www.screenusa.com all ACCEPT loc:192.168.10.255 net:www.screenusa.com all As you can see, the sole purpose of all these lines is to allow most of my lan machines to have unlimited access to screenusa.com. A few of them are commented out, because those few have unlimited access to the internet, as defined in these lines (also from my "rules" file): ACCEPT loc:192.168.10.77 net all ACCEPT loc:192.168.10.227 net all ACCEPT loc:192.168.10.81 net all ACCEPT loc:192.168.10.50 net all ACCEPT loc:192.168.10.85 net all ACCEPT loc:192.168.10.82 net all That very large block of directives appears more than 50 times (for 50 different domains), resulting in a huge and hard-to-maintain "rules" file. (Note: despite the excessive length the resulting "rules" file, actually works like a charm!). Now, are we REALLY SURE that there is NO way to group these things together (e.g the set of ip addresses in my lan that should have restricted access to specified domains, or the set of specified domains themselves)?. It is impossible to believe... Best Regards Panos
Panos and others, Hmmm, intresting, what about a diffrent approach. (Not tested though!) Try this: ACCEPT loc:192.168.1.1 net all ACCEPT loc:192.168.10.0/24 net:www.screenusa.com all Panos Katergiathis said the following on 09-Dec-04 11:06:> Just to make sure that we all understand the same thing, i am including > a part of my 13.859 lines "rules" file. > > ACCEPT loc:192.168.10.1 net:www.screenusa.com all > ACCEPT loc:192.168.10.2 net:www.screenusa.com all > ACCEPT loc:192.168.10.3 net:www.screenusa.com all > ACCEPT loc:192.168.10.4 net:www.screenusa.com all > ACCEPT loc:192.168.10.5 net:www.screenusa.com all<<SNIP>>> ACCEPT loc:192.168.10.254 net:www.screenusa.com all > ACCEPT loc:192.168.10.255 net:www.screenusa.com all > > As you can see, the sole purpose of all these lines is to allow most of > my lan machines to have unlimited access to screenusa.com. > A few of them are commented out, because those few have unlimited access > to the internet, as defined in these lines (also from my "rules" file): > > ACCEPT loc:192.168.10.77 net all > ACCEPT loc:192.168.10.227 net all > ACCEPT loc:192.168.10.81 net all > ACCEPT loc:192.168.10.50 net all > ACCEPT loc:192.168.10.85 net all > ACCEPT loc:192.168.10.82 net all > > That very large block of directives appears more than 50 times (for 50 > different domains), resulting in a huge and hard-to-maintain "rules" > file. (Note: despite the excessive length the resulting "rules" file, > actually works like a charm!). Now, are we REALLY SURE that there is NO > way to group these things together (e.g the set of ip addresses in my > lan that should have restricted access to specified domains, or the set > of specified domains themselves)?. It is impossible to believe... > > Best Regards > > Panos > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker
2004-Dec-09 11:15 UTC
Re: RESEND: User sets or anything similar? - The Sequel
Panos and others, OEPS, pressed the wrong keys .... Hmmm, intresting, what about a diffrent approach. (Not tested though!) Try this: REJECT loc:192.168.10.1 net all ACCEPT loc:192.168.1.1 net all ACCEPT loc:192.168.10.0/24 net:www.screenusa.com all This would disallow all inet access to 10.1, allow screenusa for all remaining and allow full access for 1.1 You might have to fiddle with the order of the 3 lines though. Stijn Panos Katergiathis said the following on 09-Dec-04 11:06:> Just to make sure that we all understand the same thing, i am including > a part of my 13.859 lines "rules" file. > > ACCEPT loc:192.168.10.1 net:www.screenusa.com all > ACCEPT loc:192.168.10.2 net:www.screenusa.com all > ACCEPT loc:192.168.10.3 net:www.screenusa.com all > ACCEPT loc:192.168.10.4 net:www.screenusa.com all > ACCEPT loc:192.168.10.5 net:www.screenusa.com all<<SNIP>>> ACCEPT loc:192.168.10.254 net:www.screenusa.com all > ACCEPT loc:192.168.10.255 net:www.screenusa.com all > > As you can see, the sole purpose of all these lines is to allow most of > my lan machines to have unlimited access to screenusa.com. > A few of them are commented out, because those few have unlimited access > to the internet, as defined in these lines (also from my "rules" file): > > ACCEPT loc:192.168.10.77 net all > ACCEPT loc:192.168.10.227 net all > ACCEPT loc:192.168.10.81 net all > ACCEPT loc:192.168.10.50 net all > ACCEPT loc:192.168.10.85 net all > ACCEPT loc:192.168.10.82 net all > > That very large block of directives appears more than 50 times (for 50 > different domains), resulting in a huge and hard-to-maintain "rules" > file. (Note: despite the excessive length the resulting "rules" file, > actually works like a charm!). Now, are we REALLY SURE that there is NO > way to group these things together (e.g the set of ip addresses in my > lan that should have restricted access to specified domains, or the set > of specified domains themselves)?. It is impossible to believe... > > Best Regards > > Panos > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Why don''t you simply define a zone for each access right in /etc/shorewall/zones, assign hosts to these zones in /etc/shorewall/hosts, and write just the rules for these zones in /etc/shorewall/rules ? Then you may even dynamically add and remove hosts from these zones. In my network I have a number of clients. They can be allowed to have access to the internet or to the printer (which is outside the LAN). Thus I have two (maybe overlapping) zones llwww and llpr. The standard access rights are defined in ''hosts'' by adding the hosts to these zones. In ''policy'' I have two CONTINUE lines for these zones before dropping everything. And in ''rules'' hosts in zone ''llwww'' are allowed to go to the internet, and hosts in ''llpr'' are allowed to access the printer. When I need to give an additipoanl access right to a host, I add it dynamically to the appropriate zone using ''shorewall add''. /ben On 09.12.2004 11:06, Panos Katergiathis wrote:> > > As you can see, the sole purpose of all these lines is to allow most > of my lan machines to have unlimited access to screenusa.com. > A few of them are commented out, because those few have unlimited > access to the internet, as defined in these lines (also from my > "rules" file): > > ACCEPT loc:192.168.10.77 net all > ACCEPT loc:192.168.10.227 net all > ACCEPT loc:192.168.10.81 net all > ACCEPT loc:192.168.10.50 net all > ACCEPT loc:192.168.10.85 net all > ACCEPT loc:192.168.10.82 net all > > That very large block of directives appears more than 50 times (for 50 > different domains), resulting in a huge and hard-to-maintain "rules" > file. (Note: despite the excessive length the resulting "rules" file, > actually works like a charm!). Now, are we REALLY SURE that there is > NO way to group these things together (e.g the set of ip addresses in > my lan that should have restricted access to specified domains, or the > set of specified domains themselves)?. It is impossible to believe... > > Best Regards > > Panos > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- _____________________________________________________________________________ Ben Greiner Universita"t zu Ko"ln/University of Cologne Staatswissenschaftliches Seminar Lehrstuhl Prof. Dr. Ockenfels Albertus-Magnus-Platz 50923 KO"LN, GERMANY PHONE ++49 (0) 221 470 6116 E-MAIL bgreiner@uni-koeln.de http://ockenfels.uni-koeln.de
Ben Your approach sounds promising. For some reason i thought that "zones" are always related to "interfaces". I had no idea that they can relate to anything else. I will wait for even more advice before proceeding though. Panos Ben Greiner wrote:> Why don''t you simply define a zone for each access right in > /etc/shorewall/zones, assign hosts to these zones in > /etc/shorewall/hosts, and write just the rules for these zones in > /etc/shorewall/rules ? Then you may even dynamically add and remove > hosts from these zones. > > In my network I have a number of clients. They can be allowed to have > access to the internet or to the printer (which is outside the LAN). > Thus I have two (maybe overlapping) zones llwww and llpr. The standard > access rights are defined in ''hosts'' by adding the hosts to these > zones. In ''policy'' I have two CONTINUE lines for these zones before > dropping everything. And in ''rules'' hosts in zone ''llwww'' are allowed > to go to the internet, and hosts in ''llpr'' are allowed to access the > printer. > When I need to give an additipoanl access right to a host, I add it > dynamically to the appropriate zone using ''shorewall add''. > > /ben > > On 09.12.2004 11:06, Panos Katergiathis wrote: > >> >> >> As you can see, the sole purpose of all these lines is to allow most >> of my lan machines to have unlimited access to screenusa.com. >> A few of them are commented out, because those few have unlimited >> access to the internet, as defined in these lines (also from my >> "rules" file): >> >> ACCEPT loc:192.168.10.77 net all >> ACCEPT loc:192.168.10.227 net all >> ACCEPT loc:192.168.10.81 net all >> ACCEPT loc:192.168.10.50 net all >> ACCEPT loc:192.168.10.85 net all >> ACCEPT loc:192.168.10.82 net all >> >> That very large block of directives appears more than 50 times (for >> 50 different domains), resulting in a huge and hard-to-maintain >> "rules" file. (Note: despite the excessive length the resulting >> "rules" file, actually works like a charm!). Now, are we REALLY SURE >> that there is NO way to group these things together (e.g the set of >> ip addresses in my lan that should have restricted access to >> specified domains, or the set of specified domains themselves)?. It >> is impossible to believe... >> >> Best Regards >> >> Panos >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > > >
On Thu, 2004-12-09 at 12:06 +0200, Panos Katergiathis wrote:> > That very large block of directives appears more than 50 times (for 50 > different domains), resulting in a huge and hard-to-maintain "rules" > file. (Note: despite the excessive length the resulting "rules" file, > actually works like a charm!). Now, are we REALLY SURE that there is NO > way to group these things together (e.g the set of ip addresses in my > lan that should have restricted access to specified domains, or the set > of specified domains themselves)?. It is impossible to believe...There is a way to group hosts with similar firewalling requirements -- it''s called a *zone*. If you use the /etc/shorewall/hosts file to define your zones then you can write rules for the zone and not for the individual hosts. Also be sure to read the part of the documentation that talks about nested and overlapping zones -- you can probably make use of the CONTINUE policy to decrease the number of rules further. And by the way -- this has nothing to do with the user-set capability that was available for a short time in Shorewall 1.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi list, I tried to help a friend to run a private tiny mail-server but it did not work. What I did was to port-forward port 25/110 from NET zone to his server in DMZ zone. When I connect from outside to his site on port 25 (telnet his-site 25), I see nothing coming back. I checked with tcpdump and saw traffic coming in, then portforwarding occured but nothing on my side. Is that possible that the ISP is blocking this type of traffic on the way out? If that''s so is there any solution? Thank you.
On Thu, 2004-12-09 at 11:20 -0500, M Lu wrote:> I tried to help a friend to run a private tiny mail-server but it did not > work. What I did was to port-forward port 25/110 from NET zone to his server > in DMZ zone. When I connect from outside to his site on port 25 (telnet > his-site 25), I see nothing coming back. I checked with tcpdump and saw > traffic coming in, then portforwarding occured but nothing on my side. > > Is that possible that the ISP is blocking this type of traffic on the way > out?Unlikely.> If that''s so is there any solution?I would troubleshoot the problem on the firewall/server side carefully as described in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you Tom. My friend called the ISP and they said that they block port 25 to finght spam and virus. However I do not know how I can initiate connection to port 25 on my friend machine and do not get the reply back. Probably they block packets out based on source port? Anyway I think my friend is out of luck, correct? M Lu ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, December 09, 2004 11:23 AM Subject: Re: [Shorewall-users] DNAT does not work for me> On Thu, 2004-12-09 at 11:20 -0500, M Lu wrote: > >> I tried to help a friend to run a private tiny mail-server but it did not >> work. What I did was to port-forward port 25/110 from NET zone to his >> server >> in DMZ zone. When I connect from outside to his site on port 25 (telnet >> his-site 25), I see nothing coming back. I checked with tcpdump and saw >> traffic coming in, then portforwarding occured but nothing on my side. >> >> Is that possible that the ISP is blocking this type of traffic on the way >> out? > > Unlikely. > >> If that''s so is there any solution? > > I would troubleshoot the problem on the firewall/server side carefully > as described in Shorewall FAQs 1a and 1b. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 2004-12-09 at 13:36 -0500, M Lu wrote:> Thank you Tom. > > My friend called the ISP and they said that they block port 25 to finght > spam and virus. However I do not know how I can initiate connection to port > 25 on my friend machine and do not get the reply back. Probably they block > packets out based on source port?That''s of course possible but it''s odd that they would take that approach.> > Anyway I think my friend is out of luck, correct?Unless your friend accepts mail on a non-standard port, it would appear so. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I think they took that approach. If I DNAT port 2500 to his mail-server''s 25, I got reply rigth away. But not with port 25, also my friend cannot telnet to port 25 of any mail-server other than the ISP''s one. Well, poor my friend but at least it explains things which made me scratch some hair -:) Thanks a lot Tom. M Lu ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, December 09, 2004 1:40 PM Subject: Re: [Shorewall-users] DNAT does not work for me> On Thu, 2004-12-09 at 13:36 -0500, M Lu wrote: >> Thank you Tom. >> >> My friend called the ISP and they said that they block port 25 to finght >> spam and virus. However I do not know how I can initiate connection to >> port >> 25 on my friend machine and do not get the reply back. Probably they >> block >> packets out based on source port? > > That''s of course possible but it''s odd that they would take that > approach. > >> >> Anyway I think my friend is out of luck, correct? > > Unless your friend accepts mail on a non-standard port, it would appear > so. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 9 Dec 2004 13:36:57 -0500, M Lu <mlu919@hotmail.com> wrote:> Thank you Tom. > > My friend called the ISP and they said that they block port 25 to finght > spam and virus. However I do not know how I can initiate connection to port > 25 on my friend machine and do not get the reply back. Probably they block > packets out based on source port? > > Anyway I think my friend is out of luck, correct? > > M Lu > yep.your friend is out o luck :(I think he need to change his ISP¡¡¡ ;)> > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Shorewall Users" <shorewall-users@lists.shorewall.net> > Sent: Thursday, December 09, 2004 11:23 AM > Subject: Re: [Shorewall-users] DNAT does not work for me > > > On Thu, 2004-12-09 at 11:20 -0500, M Lu wrote: > > > >> I tried to help a friend to run a private tiny mail-server but it did not > >> work. What I did was to port-forward port 25/110 from NET zone to his > >> server > >> in DMZ zone. When I connect from outside to his site on port 25 (telnet > >> his-site 25), I see nothing coming back. I checked with tcpdump and saw > >> traffic coming in, then portforwarding occured but nothing on my side. > >> > >> Is that possible that the ISP is blocking this type of traffic on the way > >> out? > > > > Unlikely. > > > >> If that''s so is there any solution? > > > > I would troubleshoot the problem on the firewall/server side carefully > > as described in Shorewall FAQs 1a and 1b. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 9 Dec 2004, Cristian Rodriguez wrote: - On Thu, 9 Dec 2004 13:36:57 -0500, M Lu <mlu919@hotmail.com> wrote: - > Thank you Tom. - > - > My friend called the ISP and they said that they block port 25 to finght - > spam and virus. However I do not know how I can initiate connection to port - > 25 on my friend machine and do not get the reply back. Probably they block - > packets out based on source port? - > - > Anyway I think my friend is out of luck, correct? - > - > M Lu - > yep.your friend is out o luck :( - I think he need to change his ISP¡¡¡ ;) Many IPS''s will unblock ports if you request it.
Thank you guys. I will ask my friend to try that. BTW, the ISP is TELUS.NET in British Columbia, Canada. So do not use it if you want to run your own mail-server. ----- Original Message ----- From: "Stephen Carville" <stephen@totalflood.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, December 09, 2004 2:32 PM Subject: Re: [Shorewall-users] DNAT does not work for me> On Thu, 9 Dec 2004, Cristian Rodriguez wrote: > > - On Thu, 9 Dec 2004 13:36:57 -0500, M Lu <mlu919@hotmail.com> wrote: > - > Thank you Tom. > - > > - > My friend called the ISP and they said that they block port 25 to > finght > - > spam and virus. However I do not know how I can initiate connection to > port > - > 25 on my friend machine and do not get the reply back. Probably they > block > - > packets out based on source port? > - > > - > Anyway I think my friend is out of luck, correct? > - > > - > M Lu > - > yep.your friend is out o luck :( > - I think he need to change his ISP¡¡¡ ;) > > Many IPS''s will unblock ports if you request it. > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On 9 Dec 2004 at 14:03, M Lu wrote:> I think they took that approach. If I DNAT port 2500 to his > mail-server''s 25, I got reply rigth away. But not with port 25, also > my friend cannot telnet to port 25 of any mail-server other than > the > ISP''s one.Its not uncommon to see ISPs blocking outbound port 25 from their subnets to the internet these days. There is no excuse for blocking inbound Port25, (other than green as grass ISP tech staff who don''t know how to do it any other way). If done correctly, you can use what is called a smart host (in sendmail, and I forget what its called in postfix) to send all outbound mail via the ISPs smtp server but still accept inbound connections for faster (or larger) inbound mail. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 .
On Thu, 2004-12-09 at 12:15 -0900, John S. Andersen wrote:> > If done correctly, you can use what is called a smart host > (in sendmail, and I forget what its called in postfix) to send > all outbound mail via the ISPs smtp server but still > accept inbound connections for faster (or larger) inbound mail.It''s called a ''relayhost'' in Postfix. I forward all outgoing email through my ISP because running an outbound mail server these days is a big PITA. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key