Hello, I would like to drop certain connections....My question now is..If I mention in the rules-file to drop certain connections will these also be dropped if they are related to existing connections(?)..because thta''s what I want... Thanks, Brabants Michel Belgium
On Thu, 24 Apr 2003 18:19:30 +0000, Michel <wamb4060@wanadoo.be> wrote:> Hello, > > I would like to drop certain connections....My question now is..If I > mention in the rules-file to drop certain connections will these also be > dropped if they are related to existing connections(?)..because thta''s > what I want... >No -- if you don''t want related connections then don''t use Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 24 Apr 2003 09:25:29 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > No -- if you don''t want related connections then don''t use Shorewall. >Actually there is a way to disallow related connections -- use the blacklist file. Rules from the blacklist file are applied to every incoming packet. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
thanks Tom Eastep wrote:> On Thu, 24 Apr 2003 09:25:29 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > > >>> >> >> No -- if you don''t want related connections then don''t use Shorewall. >> > > Actually there is a way to disallow related connections -- use the > blacklist file. Rules from the blacklist file are applied to every > incoming packet. > > -Tom
Hi Tom, Thought I should let you know that I ended up having to make a minor tweak to 1.4.2 to get an OpenVPN tunnel working. I had to change the ''firewall'' script in /usr/share/shorewall: [root@home shorewall]# diff firewall.saved firewall 1106,1107c1106,1107 < addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT < addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT ---> addrule $inchain -p udp -s $1 --dport $p -j ACCEPT > addrule $outchain -p udp -d $1 --sport $p -j ACCEPTThe reason being that my company''s firewall was doing port translation on the outgoing OpenVPN traffic, so although both linux machines were configured to use the same port for OpenVPN, traffic arriving at my home firewall (the one running shorewall) had a different (and dynamic) source port number. Just thought I''d mention it, before I forgot. Paul
On Thu, 24 Apr 2003 11:50:23 -0700, Paul Chambers <shorewall@lists.bod.org> wrote:> Hi Tom, > > Thought I should let you know that I ended up having to make a minor > tweak > to 1.4.2 to get an OpenVPN tunnel working. IA much better solution is to just use rules and forget the tunnels file: ACCEPT net:<gateway ip> fw udp <port #> ACCEPT fw net:<gateway ip> udp - <port #> The tunnels file just provides a shorthand mechanism for defining tunnel- related rules. There would be no function lost if the tunnels file totally ceased to exist. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net