Hi, I had set rules so that my client can only visit few sites instead of the whole net. My question is, how can I allow my client to activate it''s product key and also to run windows update? One more thing is, can I use domain name in the rule config? if yes, can I put just microsoft.com to refer to aaa.microsoft.com bbb.microsoft.com? Please advice __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
On Wed, 8 Sep 2004 23:36:15 -0700 (PDT), mynullvoid <mynullvoid@yahoo.com> wrote:> My question is, how can I allow my client to activate > it''s product key and also to run windows update?You need to figure out which addresses these two processes uses and include then in your rules.> > One more thing is, can I use domain name in the rule > config? if yes, can I put just microsoft.com to refer > to aaa.microsoft.com bbb.microsoft.com?You can, but not in a wildcard way (*.microsoft.com). But using domain names is not recommended. Read carefully this: http://www.shorewall.net/configuration_file_basics.htm#dnsnames -Gilson Soares
On Wed, 2004-09-08 at 23:36 -0700, mynullvoid wrote:> Hi, > > I had set rules so that my client can only visit few > sites instead of the whole net. > > My question is, how can I allow my client to activate > it''s product key and also to run windows update? > > One more thing is, can I use domain name in the rule > config? if yes, can I put just microsoft.com to refer > to aaa.microsoft.com bbb.microsoft.com? > > Please advice >When you use a fqdn for a rule in shorewall, it will be resolved to it''s IP address for the rule by iptables. netfilter has no way of knowing that the packet is intended to go to xyz.microsoft.com, it only knows that it is going to 206.142.56.17 on 607/tcp or whatever. To accomplish what you want, you could setup a squid proxy and use it''s acl''s to allow/deny web access to various sites, networks, etc. You can use the transparent proxy capability via the REDIRECT rule type in shorewall so that it "just works" (tm) for end users. -- David Hollis <dhollis@davehollis.com>
On Thursday 09 September 2004 06:52, David Hollis wrote:> > When you use a fqdn for a rule in shorewall, it will be resolved to it''s > IP address for the rule by iptables. netfilter has no way of knowing > that the packet is intended to go to xyz.microsoft.com, it only knows > that it is going to 206.142.56.17 on 607/tcp or whatever. To accomplish > what you want, you could setup a squid proxy and use it''s acl''s to > allow/deny web access to various sites, networks, etc. You can use the > transparent proxy capability via the REDIRECT rule type in shorewall so > that it "just works" (tm) for end users.This is the best method for restricting web access by internal clients -- it is also an effective method of stopping IM apps once you have blocked their native ports (see the concurrent thread "Layer 7 Filtering"). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-09-09 at 02:36, mynullvoid wrote:> Hi, > > I had set rules so that my client can only visit few > sites instead of the whole net. > > My question is, how can I allow my client to activate > it''s product key and also to run windows update? > > One more thing is, can I use domain name in the rule > config? if yes, can I put just microsoft.com to refer > to aaa.microsoft.com bbb.microsoft.com? > > Please adviceOpen up the firewall and run netwatch by Gordon Mckay -- http://216.239.41.104/search?q=cache:bTVYIL1O--cJ:www.slctech.org/~mackay/netwatch.html+netwatch&hl=en The site is down right now but you can view it with the google cache above. When you run netwatch it will tell you what ports are being accessed by anything that goes thru the firewall, plus it will also tell you everything that is incoming. I''ve found it to be superior to netstat for monitoring realtime connections. I run it regularly on the firewall here for monitoring purposes. It uses an ncurses interface so you can run it at runlevel 3 without any problem. Netwatch is very handy for letting you know what ports are being accessed by clients on the local lan. LX