Hi everyone! I have got to solve one problem to which I dont see the solution... We have several zones here protected by shorewall. Now one IP has got to be denied outgoing traffic; the other hosts in this zone need to use everything as always. I do have a policy of call0 net DROP info And rules which allow for example tcp/80 for call0 to net. Now one IP of the zone ''call0'' needs to be blocked from accessing webservers on the internet. We do have internal webservers in other zones which need to be accessible further. Can anyone point me to the links on the doc pages, please? I cant seem to find anything on this..... Blacklisting didn?t work as well not some rules I tried like: DROP call0:192.168.10.74 net tcp 80 or everything else I tried. Thanks in advance for every hint! Christian P.S. We do use shorewall 1.3.9a
On Tue, 2003-07-29 at 12:25, Christian Lox wrote:> Hi everyone! > > I have got to solve one problem to which I dont see the solution... > We have several zones here protected by shorewall. > Now one IP has got to be denied outgoing traffic; the other hosts in > this zone need to use everything as always. > I do have a policy of > call0 net DROP info > > And rules which allow for example tcp/80 for call0 to net. > Now one IP of the zone ''call0'' needs to be blocked from accessing > webservers on the internet. > We do have internal webservers in other zones which need to be > accessible further. > Can anyone point me to the links on the doc pages, please? > I cant seem to find anything on this..... > Blacklisting didn?t work as well not some rules I tried like: > DROP call0:192.168.10.74 net tcp 80 > or everything else I tried. > > Thanks in advance for every hint! >Either change this rule: ACCEPT call0 net tcp 80 to ACCEPT call0:!192.168.10.74 net tcp 80 or create two rules IN THIS ORDER: REJECT call0:192.168.10.74 net tcp 80 ACCEPT call0 net tcp 80 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-07-29 at 13:35, Tom Eastep wrote:> > Either change this rule: > > ACCEPT call0 net tcp 80 > > to > > ACCEPT call0:!192.168.10.74 net tcp 80 > > or create two rules IN THIS ORDER: > > REJECT call0:192.168.10.74 net tcp 80 > ACCEPT call0 net tcp 80 >And to test this, be sure that you stop and restart the browser on 192.168.10.74 so that it tries to create a new connection rather than reuse an existing one. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net