Hi! First I would like to thank the author for the great firewall! Would it be possible to have a list of known advertising hosts, which won''t be accesible by the lan clients masqued by shorewall, so that a lot of bandwith could be saved?
On Saturday 12 January 2002 12:12 pm, spiridon wrote:> Hi! > > First I would like to thank the author for the great firewall! > > Would it be possible to have a list of known advertising hosts, which > won''t be accesible by the lan clients masqued by shorewall, so that a > lot of bandwith could be saved?How about something like the Black List only that works on destination=20 address rather than on source? Seems like logging wouldn''t be a requirement=20 and packets would always be REJECTed so as to not hang people''s browser. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
That would be great!> On Saturday 12 January 2002 12:12 pm, spiridon wrote: > > Hi! > > > > First I would like to thank the author for the great firewall! > > > > Would it be possible to have a list of known advertising hosts, > > which won''t be accesible by the lan clients masqued by shorewall, so > > that a lot of bandwith could be saved? > > How about something like the Black List only that works on destination > address rather than on source? Seems like logging wouldn''t be a > requirement and packets would always be REJECTed so as to not hang > people''s browser. > > -Tom > -- > Tom Eastep \ A Firewall for Linux 2.4.* > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > -------------------------------------------
On Saturday 12 January 2002 01:06 pm, spiridon wrote:> That would be great! >I''m actually going to do it somewhat differently to make it more efficient. a) There will be a /etc/shorewall/filter file -- format similar to blacklist=20 file. b) In the /etc/shorewall/rules, there will be a new FILTER target. When a=20 connection requests matches a FILTER rule, the destination IP address is=20 checked against the /etc/shorewall/filter file: - If there is a match, the connection request is REJECTed - If there is no match, the connection request is ACCEPTed -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
Hi all, I am in the process of setting up a firewall to protect a range of 128 routable addresses. They need to be routable because of this client''s need to access multiple-vendor VPN systems, using both client-to-subnet connections and subnet- to-subnet connections, mostly in aggressive mode; thus, likely to be broken by NAT. The documentation and my web searches have shown little in they way of example configurations, and not much general discussion on the approach. I realize the NAT''d private address approach is more prevalent, but I''d appreciate some background perspective from anyone has implemented such a setup. My questions: 1. Are there any example configurations around for this type of setup? 2. Is the implementation simply a matter of leaving the NAT settings off and supplying the proper internal range? 3. Are any additional/different rules necessary or advisable in such a system? 4. Any other issues a relative newcomer should be aware of, or background docs anyone might point me to? Many thanks, Dan
What about the creation/maintenance of a list of known advertisers? Is this something that already exists somewhere? If not, it would be an interesting offshoot project. Setting up a weekly autorefresh of the list should be fairly trivial as well...> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep > Sent: Saturday, January 12, 2002 4:10 PM > To: spiridon@mailexpress.de; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] AD-Filter? > > > On Saturday 12 January 2002 01:06 pm, spiridon wrote: > > That would be great! > > > > I''m actually going to do it somewhat differently to make it > more efficient. > > a) There will be a /etc/shorewall/filter file -- format > similar to blacklist > file. > > b) In the /etc/shorewall/rules, there will be a new FILTER > target. When a > connection requests matches a FILTER rule, the destination IP > address is > checked against the /etc/shorewall/filter file: > > - If there is a match, the connection request is REJECTed > - If there is no match, the connection request is ACCEPTed > > -Tom > -- > Tom Eastep \ A Firewall for Linux 2.4.* > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > ------------------------------------------- > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Saturday 12 January 2002 01:37 pm, Alok K. Dhir wrote:> What about the creation/maintenance of a list of known advertisers? Is > this something that already exists somewhere? If not, it would be an > interesting offshoot project. Setting up a weekly autorefresh of the > list should be fairly trivial as well...Setting up and maintaining that list is not something that I am personally=20 interested in doing -- I''d be happy to provide links from my site to such a=20 list if it were available. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
On Saturday 12 January 2002 01:30 pm, dgilleece@optimumnetworks.com wrote:> Hi all, > > I am in the process of setting up a firewall to protect a range of 128 > routable addresses. They need to be routable because of this client''s need > to access multiple-vendor VPN systems, using both client-to-subnet > connections and subnet- to-subnet connections, mostly in aggressive mode; > thus, likely to be broken by NAT. The documentation and my web searches > have shown little in they way of example configurations, and not much > general discussion on the approach. I realize the NAT''d private address > approach is more prevalent, but I''d appreciate some background perspective > from anyone has implemented such a setup. > > My questions: > > 1. Are there any example configurations around for this type of setup?I don''t have one since I use NAT and Proxy ARP.> 2. Is the implementation simply a matter of leaving the NAT settings off > and supplying the proper internal range?Yes -- plus, never use "all" in the ADDRESS column in your=20 /etc/shorewall/rules file.> 3. Are any additional/different rules necessary or advisable in such a > system?Not really -- Shorewall doesn''t assume a MASQ or NAT environment so if you=20 don''t specify NAT it doesn''t happen.=20 4. Any other issues a relative newcomer should be aware of, or> background docs anyone might point me to? >Not that I can think of. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
Why not use a a program designed to do that ? There is adzapper: http://www.zipworld.com.au/~cs/adzap/index.html which works with squid and Junkbuster. http://www.junkbusters.com/ijb.html Junbuster works as a proxy and will work without squid. There is also proximitron: http://proxomitron.org which also works as a standalone proxy/filter but only works on windows. On 01/12/02 02:12 PM, spiridon wrote:> Hi! > > First I would like to thank the author for the great firewall! > > Would it be possible to have a list of known advertising hosts, which > won''t be accesible by the lan clients masqued by shorewall, so that a > lot of bandwith could be saved? > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Saturday 12 January 2002 03:23 pm, Steve Ladewig wrote:> Why not use a a program designed to do that ?Ok if you want to run a Proxy --=20 -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------