Shorewall users - Nov 2004 - a way to prevent LAN from reaching a list of IP/FQDN

I know that Shorewall is not for content control, but until such day that I get
the time to set-up squid, what is the best way to prevent machines on LOC from
reaching a bunch of sites contained in a list with about 30 to 40 IP addresses
or FQDN entries ?
The blacklist look only at the SRC field of the packet, right?
 
Thanks,
 
  Costantino.

		
---------------------------------
Do you Yahoo!?
 All your favorites on one personal page  Try My Yahoo!

On Tue, 2004-11-30 at 12:34 -0800, Costantino wrote:
> I know that Shorewall is not for content control, but until such day that I
get the time to set-up squid, what is the best way to prevent machines on LOC
from reaching a bunch of sites contained in a list with about 30 to 40 IP
addresses or FQDN entries ?
> The blacklist look only at the SRC field of the packet, right?
>  
I would:

a) Add a ''NoSurf'' action to /etc/shorewall/actions.
b) Create action.NoSurf with

	REJECT	-	<ip 1>
	REJECT	-	<ip 2>
	...
	REJECT	-	<ip n>

c) In /etc/shorewall/rules:

	NoSurf	loc	net	tcp	80,...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key