Hi everyone! First: Thanks for all the work on this great project. I am playing around with it the whole day, but one question remains (for now!)... Is set up a rule as described in the documentation to forward all outgoing http traffic to our Squid. ACCEPT local fw::3128 tcp 80 - all This works just fine, but I have to exclude some clients from this (IPs are in the local range). Any help appreciated! Christian -- we reject: kings, presidents, religions we accept: working code
Hello Christian, On Tuesday 15 January 2002 07:07 am, Christian Lox wrote:> Hi everyone! > > First: Thanks for all the work on this great project. > I am playing around with it the whole day, but one question remains > (for now!)... > > Is set up a rule as described in the documentation to forward all > outgoing http traffic to our Squid. > ACCEPT local fw::3128 tcp 80 - all > > This works just fine, but I have to exclude some clients from this > (IPs are in the local range). > > Any help appreciated!The only way that I can think of for you to do that with Shorewall is to=20 place these clients in their own zone and you MUST make that zone disjoint=20 from your local zone. I would need to change the structure of chains that=20 Shorewall places in the nat table in order for it to work with overlapping=20 zones. Sorry, -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
You could also create an acl with always_direct in your squid config file. See squid faq for more details. HTH Pascal On Tue, 2002-01-15 at 07:07, Christian Lox wrote:> Hi everyone! > > First: Thanks for all the work on this great project. > I am playing around with it the whole day, but one question remains > (for now!)... > > Is set up a rule as described in the documentation to forward all > outgoing http traffic to our Squid. > ACCEPT local fw::3128 tcp 80 - all > > This works just fine, but I have to exclude some clients from this > (IPs are in the local range). > > Any help appreciated! > > Christian > -- > we reject: kings, presidents, religions > we accept: working code > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Why can''t he just put a REJECT or a DROP rule (or for surrounding squid another ACCEPT rule) above his ACCEPT rule for http ports since rules are processed until the first fitting is found, afaik? MfG, Markus At 07:25 15.01.2002 -0800, Tom Eastep wrote:>Hello Christian, > >On Tuesday 15 January 2002 07:07 am, Christian Lox wrote: > > Hi everyone! > > > > First: Thanks for all the work on this great project. > > I am playing around with it the whole day, but one question remains > > (for now!)... > > > > Is set up a rule as described in the documentation to forward all > > outgoing http traffic to our Squid. > > ACCEPT local fw::3128 tcp 80 - all > > > > This works just fine, but I have to exclude some clients from this > > (IPs are in the local range). > > > > Any help appreciated! > >The only way that I can think of for you to do that with Shorewall is to >place these clients in their own zone and you MUST make that zone disjoint >from your local zone. I would need to change the structure of chains that >Shorewall places in the nat table in order for it to work with overlapping >zones. > >Sorry, >-Tom >-- >Tom Eastep \ A Firewall for Linux 2.4.* >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users
On Wednesday 16 January 2002 02:40 pm, Markus Bossert wrote:> Why can''t he just put a REJECT or a DROP rule (or for surrounding squid > another ACCEPT rule) above his ACCEPT rule for http ports since rules are > processed until the first fitting is found, afaik?In each Netfilter table, rules are processed in the order found. Port=20 redirection and port forwarding rules and a rule to both Netfilter''s nat=20 table in in its filter table. The rule added to the nat table is being=20 executed before ANY rule in the filter table. I''m working on a fix for this general problem so have faith.... -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wednesday 16 January 2002 03:03 pm, Tom Eastep wrote:> On Wednesday 16 January 2002 02:40 pm, Markus Bossert wrote: > > Why can''t he just put a REJECT or a DROP rule (or for surrounding squid > > another ACCEPT rule) above his ACCEPT rule for http ports since rules are > > processed until the first fitting is found, afaik? > > In each Netfilter table, rules are processed in the order found. Port > redirection and port forwarding rules and a rule to both Netfilter''s natmake that "...add a rule to both..."> table in in its filter table. The rule added to the nat table is being > executed before ANY rule in the filter table. > > I''m working on a fix for this general problem so have faith.... > > -Tom--=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net