Hi, I have two questions which I cant seem to find in FAQ''s, I would appreciate any help or direction. I have recently setup shorewall 1.4.6 without any hassels, and it works great. I even got squid working beind it aswell (exciting for me as im a newbie) I have the following questions, Is there any way that I can have the filter based on a text file so instead of accepting from 1.2.3.4 I could call a file which listed the ip''s ? This would be good for me as I have a small list of IP addresses that changes quite often and managing this via a group or text file would make things a lot easier. Also, With the redirect, why does it show an open even if the machien you are forwarding to is offline. Eg Redirecting port 20 and 21 (ftp) to 192.168.0.5 and 192.168.0.5 is not plugged in. Is it the fact that the actual firewall responds to incomming requests on that port then forwards them to the ip address ? I would have thought that it doesn''t reply directly but just forwards the requests to the ip address you sepcified and let it respond. Thanks in advance Matt
On Tue, 2003-10-14 at 00:46, Matthew Grech wrote:> > Is there any way that I can have the filter based on a text file so > instead of accepting from 1.2.3.4 I could call a file which listed the > ip''s ? > > This would be good for me as I have a small list of IP addresses that > changes quite often and managing this via a group or text file would > make things a lot easier.Please see http://shorewall.net/configuration_file_basics.html and pay particular attention to "The INCLUDE Directive" and "Using Shell Variables". The latter is probably more appropriate in your case.> > > Also, With the redirect, why does it show an open even if the machien > you are forwarding to is offline. EgWhat does "show open" mean? Are you running some sort of port scanner?> > Redirecting port 20 and 21 (ftp) to 192.168.0.5 and 192.168.0.5 is not > plugged in.Redirect always works on the firewall system itself -- are you referring to Port Forwarding (DNAT)?> > Is it the fact that the actual firewall responds to incomming requests > on that port then forwards them to the ip address ?That''s not the way that IP works.> I would have thought > that it doesn''t reply directly but just forwards the requests to the ip > address you sepcified and let it respond.The firewall may respond with an ICMP packet (such as "No route to host") -- what the port scanner does with that response is up to it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-10-14 at 07:59, Tom Eastep wrote:> On Tue, 2003-10-14 at 00:46, Matthew Grech wrote: >> > Please see http://shorewall.net/configuration_file_basics.html and pay > particular attention to "The INCLUDE Directive" and "Using Shell > Variables". The latter is probably more appropriate in your case.The correct URL is http://shorewall.net/configuration_file_basics.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net