> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Friday, January 18, 2002 11:09 AM
> To: Shorewall Development
> Subject: [Shorewall-devel] An idea
>
>
> A recent request to provide a way to block access to certain
> websites (banner ads) led me to an idea.
>
> a) A new directory /etc/shorewall/lists
> b) In this directory, are files containing lists of IP
> addresses and/or subnets
> c) a new JUMP rule:
>
> JUMP:list1 loc net tcp http
>
> d) By default, matching in the list would be by destination
> address and if a match was found, the connection request would
> be REJECTed
> e) The default behavior could be overridden through entries in a list:
>
> SOURCE:ACCEPT
>
> for example would match on the source address and would accept the
> connection request.
>
> f) Multiple match and disposition specifications could be in a file:
>
> SOURCE:ACCEPT
> 1.2.3.4
> 4.5.6.0/24
> SOURCE:REJECT
> 0.0.0.0
>
> would accept requests from 1.2.3.4 and from 4.5.6.0/24 and
> would reject all other requests.
>
> g) Lists could themselves have JUMP commands embedded
> (iptables catches loops):
>
> JUMP:list2
>
> We might also consider jump as a possible disposition for a list:
>
> SOURCE:JUMP:list12
>
> so that a logical ANDing of two lists could be implemented
> by the user.
>
> h) "shorewall refresh" would refresh the list contents. Each
> list would cause a chain with the same name to be created and JUMP
> rules would simply cause a jump to the corresponding chain.
>
> Are any of you interested in implementing such a thing? If
> so, let me know.
Tom,
I would defiantly use this feature if you decide to implement within
Shorewall. It would be nice to block those annoying banner adds at the
firewall instead of using (in my case) Internet Explorer''s Restricted
Sites
settings. Although easy to add, trying to replicate my Restricted Sites
settings to other IE users on the same LAN has been a royal PITA.
Steve Cowles