I would like to add a rule allowing only the address 192.168.150.20 and the range of addresses from 192.169.150.100 to 192.168.150.150 in zone dmz0 to connect to two terminal servers in the local zone. Is there a syntax that can specify a range of addresses in the rules file? Do I have to enter each one separately? -- Stephen Carville Unix and Network Adminstrator DPSI 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Carville wrote: | I would like to add a rule allowing only the address 192.168.150.20 and the | range of addresses from 192.169.150.100 to 192.168.150.150 in zone dmz0 to | connect to two terminal servers in the local zone. | | Is there a syntax that can specify a range of addresses in the rules file? Do | I have to enter each one separately? | Shorewall currently does not support a range syntax in the SOURCE column. You need to use the ''shorewall iprange'' command as follows: linux:/etc/postfix # shorewall iprange 192.168.150.100-192.168.150.150 192.168.150.100/30 192.168.150.104/29 192.168.150.112/28 192.168.150.128/28 192.168.150.144/30 192.168.150.148/31 192.168.150.150 linux:/etc/postfix # Then code your rule as: ACCEPT dmz0:192.168.150.20,192.168.150.100/30,192.168.150.104/29,... loc:<ts1>,<ts2> where ... represents the rest of the ranges printed by the iprange command. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBPiNCO/MAbZfjDLIRAgNKAJsGvJ/GxjebKf9jz2VeHbAh1eijKQCgvbJq xwmDD4x5TgGo1RV30wTxWG0=2198 -----END PGP SIGNATURE-----
You can qualify a zone to restrict to certain IPs. Ex: ACCEPT loc:<ip1>,<ip2>,<ip3> dmz ... In your case, a usefull feature of Shorewall is IPRANGE. Try: shorewall iprange 192.169.150.100-192.169.150.150 -Gilson Soares On Tue, 7 Sep 2004 13:41:06 -0700, Stephen Carville <stephen@totalflood.com> wrote:> I would like to add a rule allowing only the address 192.168.150.20 and the > range of addresses from 192.169.150.100 to 192.168.150.150 in zone dmz0 to > connect to two terminal servers in the local zone. > > Is there a syntax that can specify a range of addresses in the rules file? Do > I have to enter each one separately? > > -- > Stephen Carville > Unix and Network Adminstrator > DPSI > 6033 W.Century Blvd. > Los Angeles, CA 90045 > 310-342-3602 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Tue September 7 2004 2:08 pm, Tom Eastep wrote:> Stephen Carville wrote: > | I would like to add a rule allowing only the address 192.168.150.20 > > and the > > | range of addresses from 192.169.150.100 to 192.168.150.150 in zone > > dmz0 to > > | connect to two terminal servers in the local zone. > | > | Is there a syntax that can specify a range of addresses in the rules > > file? Do > > | I have to enter each one separately? > > Shorewall currently does not support a range syntax in the SOURCE > column. You need to use the ''shorewall iprange'' command as follows: > > linux:/etc/postfix # shorewall iprange 192.168.150.100-192.168.150.150 > 192.168.150.100/30 > 192.168.150.104/29 > 192.168.150.112/28 > 192.168.150.128/28 > 192.168.150.144/30 > 192.168.150.148/31 > 192.168.150.150 > linux:/etc/postfix # > > Then code your rule as: > > ACCEPT dmz0:192.168.150.20,192.168.150.100/30,192.168.150.104/29,... > loc:<ts1>,<ts2> > > where ... represents the rest of the ranges printed by the iprange command.Hey. That''s a pretty kewl idea. Thanks. -- Stephen Carville Unix and Network Adminstrator DPSI 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Carville wrote: | On Tue September 7 2004 2:08 pm, Tom Eastep wrote: |>Shorewall currently does not support a range syntax in the SOURCE |>column. You need to use the ''shorewall iprange'' command as follows: |> |>linux:/etc/postfix # shorewall iprange 192.168.150.100-192.168.150.150 |>192.168.150.100/30 |>192.168.150.104/29 |>192.168.150.112/28 |>192.168.150.128/28 |>192.168.150.144/30 |>192.168.150.148/31 |>192.168.150.150 |>linux:/etc/postfix # |> |>Then code your rule as: |> |>ACCEPT dmz0:192.168.150.20,192.168.150.100/30,192.168.150.104/29,... |>loc:<ts1>,<ts2> |> |>where ... represents the rest of the ranges printed by the iprange command. | | | Hey. That''s a pretty kewl idea. Thanks. | Actually, it''s rather silly that Shorewall makes you do that yourself. I just checked code into the Shorewall2/ CVS project that will do it for you :-) ACCEPT dmz:192.168.150-20.192.168.150.100-192.168.150.150 \ loc:<ts1>,<ts2> ... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBPi2jO/MAbZfjDLIRAvUJAJ9PSSWuOQYR8TblER0oMGIrrHL8GwCgyPdQ n6RDZM/hxsishQIRFJC+10E=JiJJ -----END PGP SIGNATURE-----
On Tue, 7 Sep 2004, Tom Eastep wrote: - -----BEGIN PGP SIGNED MESSAGE----- - | Hey. That''s a pretty kewl idea. Thanks. - | - - Actually, it''s rather silly that Shorewall makes you do that yourself. I - just checked code into the Shorewall2/ CVS project that will do it for - you :-) I meant the way it aggregates the addresses into fewer rules in the chain. I don''t know if it rally makes a difference but it _looks_ faster. - ACCEPT dmz:192.168.150-20.192.168.150.100-192.168.150.150 \ - loc:<ts1>,<ts2> ... - - - -Tom - - -- - Tom Eastep \ Nothing is foolproof to a sufficiently talented fool - Shoreline, \ http://shorewall.net - Washington USA \ teastep@shorewall.net - PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -- Stephen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Carville wrote: | On Tue, 7 Sep 2004, Tom Eastep wrote: | | - -----BEGIN PGP SIGNED MESSAGE----- | - | Hey. That''s a pretty kewl idea. Thanks. | - | | - | - Actually, it''s rather silly that Shorewall makes you do that yourself. I | - just checked code into the Shorewall2/ CVS project that will do it for | - you :-) | | I meant the way it aggregates the addresses into fewer rules in the | chain. I don''t know if it rally makes a difference but it _looks_ | faster. | It is certainly faster than listing every address individually. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBPkDOO/MAbZfjDLIRAvXkAJwOeAeqXxvthift3wUDF7yNSD7l4QCfVZOc BIMM8iyGdrNwja8WRRgE6SU=dGH2 -----END PGP SIGNATURE-----