Does the blacklist function block both incoming and outgoing? --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com <http://www.amadmax.com/> "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words."
On Wed, 24 Apr 2002, Aaron Axelsen wrote:> Does the blacklist function block both incoming and outgoing? >No - only incoming. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Is there anyway to block all outgoing access to a certain ip with shorewall? --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words." -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, April 24, 2002 5:18 PM To: Aaron Axelsen Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] (no subject) On Wed, 24 Apr 2002, Aaron Axelsen wrote:> Does the blacklist function block both incoming and outgoing? >No - only incoming. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
n Wed, 24 Apr 2002, Aaron Axelsen wrote:> Is there anyway to block all outgoing access to a certain ip with > shorewall? >In the front of the zones file blk Block Outbound blocking zone In the hosts file blk ethN:<ip addr> and add the policy: all blk REJECT -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Aaron Axelsen wrote:> Is there anyway to block all outgoing access to a certain ip with > shorewall?Add the hosts to a zone called "ban" or something like that, and set the policy from "all" to "ban" as DROP. Paul http://paulgear.webhop.net
Paul Gear wrote:> Aaron Axelsen wrote: > > > Is there anyway to block all outgoing access to a certain ip with > > shorewall? > > Add the hosts to a zone called "ban" or something like that, and set > the policy from "all" to "ban" as DROP.BTW, folks, this is really the best way to implement a "whitelist", too. Just make a zone called "wl" (or "ok", or whatever your preference), add the hosts to it, and set the policy to ACCEPT. The whitelist feature is just a way of condescending to people who can''t figure out their Shorewall hosts file. Tom is a crowd-pleaser. ;-) Paul http://paulgear.webhop.net
On Thu, 25 Apr 2002, Paul Gear wrote:> Paul Gear wrote: > > > Aaron Axelsen wrote: > > > > > Is there anyway to block all outgoing access to a certain ip with > > > shorewall? > > > > Add the hosts to a zone called "ban" or something like that, and set > > the policy from "all" to "ban" as DROP. > > BTW, folks, this is really the best way to implement a "whitelist", > too. Just make a zone called "wl" (or "ok", or whatever your > preference), add the hosts to it, and set the policy to ACCEPT. > > The whitelist feature is just a way of condescending to people who > can''t figure out their Shorewall hosts file. Tom is a crowd-pleaser. > ;-) >There is actually a key difference between the use of zones and the xxxlist implementations. The lists can be updated using just the refresh command whereas changes to zones don''t occur until the firewall is totally restarted. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thu, 25 Apr 2002, Paul Gear wrote:> > The whitelist feature is just a way of condescending to people who > can''t figure out their Shorewall hosts file. Tom is a crowd-pleaser. > ;-) >You can rest assured that I will not implement a "Blue" list of banned output IPs. There are better ways to censor the sites that folks behind the firewall are visiting. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 24 Apr 2002, Tom Eastep wrote:> > > > The whitelist feature is just a way of condescending to people who > > can''t figure out their Shorewall hosts file. Tom is a crowd-pleaser. > > ;-) > > > > There is actually a key difference between the use of zones and the > xxxlist implementations. The lists can be updated using just the refresh > command whereas changes to zones don''t occur until the firewall is totally > restarted. >Using a zone to implement a whitelist of internet sites can also be tricky in the presence of port forwarding rules. You either have to replicate the rules for both the ''net'' and ''whl'' (whitelist) zones or you need to create an alias zone for ''net'' (an ''alias'' being a zone with exactly the same definition): zones: net Internet The Internet whl Whitelist Trusted Hosts netp Internet The Internet (Policy Zone) Policies: net all CONTINUE whl all ACCEPT netp all DROP info Your port forwarding rules have source zone = ''net''. If a connection request doesn''t match any of those, and the source host is in ''whl'' then the connection request is accepted. Otherwise it is dropped. Note that and net->x REJECT or DROP rules are going to apply to hosts in the ''whl'' zone which isn''t necessarily what is desired. The problem here is that when I designed the original model, I (wrongly) assumed that zones were always going to be disjoint. I considered an approach that allowed specification of a zone hierarchy but settled on the ''hosts'' file and CONTINUE policy because they seemed easier to implement. If I decide to do Shorewall II at some point, I''ll try to get this aspect right. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net