Kevin Smith
2003-Nov-04 06:16 UTC
[Shorewall-users] RE: Shorewall-users Digest, Vol 12, Issue 6
Message: 9 Date: Mon, 3 Nov 2003 19:27:11 -0800 (Pacific Standard Time) From: Tom Eastep <teastep@shorewall.net> Subject: Re: [Shorewall-users] Allowing IP''s To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> Message-ID: <Pine.WNT.4.44.0311031917550.3504-100000@EASTEPlaptop.americas.cpqcorp.net> Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 3 Nov 2003, Kevin Smith wrote:> > > > on Fri, 2003-10-31 at 11:13, Kevin Smith wrote: > >> I have 5 public IP''s I would like to allow. Seems the games my wifeplays> >> uses 2000 different ports to do its thing and I don''t want to have to > open > >> that large of a range. The sites help suggests opening 5 IP''s: > >> 153.128.250.0.. <these are examples since I don''t > >> 153.128.251.0 have the list available> > >> 153.128.252.0 > >> 153.128.253.0 > >> If tried a rule like: > >> > >> ACCEPT loc net:153.12.250.0 tcp http > >> > >> > >> with no luck. I know it being blocked since the DROP occurs on the > loc2net > >> chain. on various dest ports. > > >So you have replaced the normal loc->net ACCEPT policy with something > >else? If not, then you had better look again at your logs because none > >of the sample configurations will DROP anything in the loc2net chain. > > -- > > Nope, I simply added the above rule to allow that IP. I run it withloc->net> as DROP. > This should cause it to act as I said. I decided to go with that policydue> to paranoia. > The thing is, when it connects, it uses a ton of dest ports. The website > suggested use open the IP''s (which I don''t like) instead of the portssince> it uses a huge range. >Given this contradictory information, I must try to guess what''s going on: a) I suspect that you have in fact changed to normal loc->net ACCEPT policy to DROP. b) If so, you need to add: ACCEPT loc net:153.128.250.0 all ACCEPT loc net:153.128.251.0 all ... ------- And as usual your guess is correct, apologies for the confusion. The loc-> net policy is infact drop for security purposes. No doubt if I thought it one step further, I''d have gotten it. (mental note) Thats what I get for writing a message before morning coffee. Thanks. Kev