Pascal DeMilly
2002-Jan-19 00:36 UTC
[Shorewall-users] [Fwd: Re: [Shorewall-devel] An idea]
--=-HftN+9CtLOYjX2UBGhis Content-Type: text/plain Content-Transfer-Encoding: 7bit Oops! It was meant for the list. Sorry. See message below --=-HftN+9CtLOYjX2UBGhis Content-Disposition: inline Content-Description: Forwarded message - Re: [Shorewall-devel] An idea Content-Type: message/rfc822 Subject: Re: [Shorewall-devel] An idea From: Pascal DeMilly <list.shorewall@newgenesys.com> To: Tom Eastep <teastep@shorewall.net> In-Reply-To: <20020118170851.8B288ACF6@mail.shorewall.net> References: <20020118170851.8B288ACF6@mail.shorewall.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.1 Date: 18 Jan 2002 11:58:12 -0800 Message-Id: <1011383892.30920.91.camel@dell> Mime-Version: 1.0 Could it be the right place to add MAC matching. So if an address looks like a MAC address it could be filtered ? Just an idea! Pascal On Fri, 2002-01-18 at 09:08, Tom Eastep wrote:> A recent request to provide a way to block access to certain websites (banner > ads) led me to an idea. > > a) A new directory /etc/shorewall/lists > b) In this directory, are files containing lists of IP addresses and/or > subnets > c) a new JUMP rule: > > JUMP:list1 loc net tcp http > > d) By default, matching in the list would be by destination address and if a > match was found, the connection request would be REJECTed > e) The default behavior could be overridden through entries in a list: > > SOURCE:ACCEPT > > for example would match on the source address and would accept the > connection request. > > f) Multiple match and disposition specifications could be in a file: > > SOURCE:ACCEPT > 1.2.3.4 > 4.5.6.0/24 > SOURCE:REJECT > 0.0.0.0 > > would accept requests from 1.2.3.4 and from 4.5.6.0/24 and would reject > all other requests. > > g) Lists could themselves have JUMP commands embedded (iptables catches > loops): > > JUMP:list2 > > We might also consider jump as a possible disposition for a list: > > SOURCE:JUMP:list12 > > so that a logical ANDing of two lists could be implemented by the user. > > h) "shorewall refresh" would refresh the list contents. Each list would > cause a chain with the same name to be created and JUMP rules would > simply cause a jump to the corresponding chain. > > Are any of you interested in implementing such a thing? If so, let me know. > > -Tom > -- > Tom Eastep \ A Firewall for Linux 2.4.* > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-devel--=-HftN+9CtLOYjX2UBGhis--