Simon Matter
2003-Jul-05 16:13 UTC
[Shorewall-users] 1.4.6 Beta 1: problem with multiple dports and dns names
This is on RedHat 7.2, RH-kernel 2.4.20-18, Shorewall 1.4.6 Beta 1:
My rules:
ACCEPT loc net tcp ssh
ACCEPT loc net:222.111.88.11,111.99.44.11 tcp imaps
ACCEPT loc net:xxx.yyy.com tcp imaps
ACCEPT loc net:imap01.ccc.aaa.com tcp pop3s,imaps,ldaps
Creates the following with 1.4.6 Beta 1:
0 0 ACCEPT tcp -- * * 0.0.0.0/0
222.111.88.11 state NEW tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
111.99.44.11 state NEW tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
191.122.100.24 state NEW tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0 multiport dports 995,993,636 state NEW
I simply don''t find any rule which is generated with the IP address of
host imap01.ccc.aaa.com. I know that using DNS names is not recommended
but for some reason there are situations where I like it anyway.
This has worked with 1.4.5 so I guess it''s a small problem with the new
code in 1.4.6 Beta 1.
Regards,
Simon
Tom Eastep
2003-Jul-05 16:23 UTC
[Shorewall-users] 1.4.6 Beta 1: problem with multiple dports and dns names
On Sun, 6 Jul 2003 01:13:09 +0200 (CEST), Simon Matter <simon.matter@ch.sauter-bc.com> wrote:> This is on RedHat 7.2, RH-kernel 2.4.20-18, Shorewall 1.4.6 Beta 1: > > My rules: > ACCEPT loc net tcp ssh > ACCEPT loc net:222.111.88.11,111.99.44.11 tcp imaps > ACCEPT loc net:xxx.yyy.com tcp imaps > ACCEPT loc net:imap01.ccc.aaa.com tcp pop3s,imaps,ldaps > > Creates the following with 1.4.6 Beta 1: > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 222.111.88.11 state NEW tcp dpt:993 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 111.99.44.11 state NEW tcp dpt:993 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 191.122.100.24 state NEW tcp dpt:993 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0 > multiport dports 995,993,636 state NEW > > I simply don''t find any rule which is generated with the IP address of > host imap01.ccc.aaa.com. I know that using DNS names is not recommended > but for some reason there are situations where I like it anyway. > This has worked with 1.4.5 so I guess it''s a small problem with the new > code in 1.4.6 Beta 1.Please send me a trace of ''shorewall restart'' -- I can''t reproduce the problem here. This was a problem with an earlier snapshot but I thought that it was fixed. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jul-05 16:25 UTC
[Shorewall-users] 1.4.6 Beta 1: problem with multiple dports and dns names
On Sun, 6 Jul 2003 01:13:09 +0200 (CEST), Simon Matter <simon.matter@ch.sauter-bc.com> wrote: Never mind -- my test was wrong. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jul-05 16:37 UTC
[Shorewall-users] 1.4.6 Beta 1: problem with multiple dports and dns names
On Sun, 6 Jul 2003 01:31:23 +0200 (CEST), Simon Matter <simon.matter@ch.sauter-bc.com> wrote:>> On Sun, 6 Jul 2003 01:13:09 +0200 (CEST), Simon Matter >> <simon.matter@ch.sauter-bc.com> wrote: >> >> Never mind -- my test was wrong. > > No problem, here the trace anyway. Lookst like mult-port rules don''t > honor > dns names. >The problem is with DNS names that contain "-". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jul-05 16:47 UTC
[Shorewall-users] 1.4.6 Beta 1: problem with multiple dports and dns names
On Sat, 05 Jul 2003 16:37:45 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > The problem is with DNS names that contain "-". >The attached patch should fix it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall.patch Type: application/octet-stream Size: 214 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030705/1e58673e/firewall-0001.obj