Hi, like implementing this script with shorewall? -------------------------------------------- #!/bin/sh dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut -f5 | while read aolblock1; do iptables -A OUTPUT -p all --destination $aolblock1 -j DROP done --------------------------------------- Thanks, Aventino Faria
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aventino Faria wrote:> Hi, > > like implementing this script with shorewall? > -------------------------------------------- > #!/bin/sh > > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut -f5 | > while read aolblock1; do > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP > doneMost people would have just coded: iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP which translates into this Shorewall rule: DROP $FW net:ads.web.aol.com all - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV QroaowxwnrOWQ0mBjY/eMQ4=lE8q -----END PGP SIGNATURE-----
Hello Tom, I tried this same rule to block Google''s Adsense that you''ll find on everyone''s site. Adsense is a Javascript that people add to their Web pages. So I entered the rule: REJECT fw net:pagead2.googlesyndication.com all However, this also sometimes restricts access to "google.com". Why is that? Using dig, I found these IPs for domain googlesyndication.com: 216.239.37.99 216.239.39.99 And this for google.com: 216.239.37.99 216.239.39.99 216.239.57.99 So my guess is that you are not actually blocking the domain, but rather the IP being called. Is that right? If so, how in the world do you block an actual domain name? Thanks, John>Aventino Faria wrote: > > Hi, > > > > like implementing this script with shorewall? > > -------------------------------------------- > > #!/bin/sh > > > > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut -f5 | > > while read aolblock1; do > > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP > > done > >Most people would have just coded: > >iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP > >which translates into this Shorewall rule: > >DROP $FW net:ads.web.aol.com all > >- -Tom >- -- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.6 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV >QroaowxwnrOWQ0mBjY/eMQ4>=lE8q >-----END PGP SIGNATURE----- >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 J and T wrote:> Hello Tom,Effective immediately, I''m going to stop answering any post to the lists that begins "Hello Tom". Folks, this is a list of over 1,000 subscribers and unless we find a way to let the other 999+ contribute meaningfully to the Shorewall support load, I''m out of here. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBXL5cO/MAbZfjDLIRAguCAJ4vO/ON3ipxb8xoOSHekmnistnXXwCeP6eb 56c9+oWJX1UMFPwjbMlA3OM=uCfq -----END PGP SIGNATURE-----
A domain name is just a user friendly name that is linked to an ipaddress, so wouldn''t this outcome make sense. What is the purpose you are trying to achieve by the blocking a domain name? If it was for web content filtering try something like squid and davesguardian. But if it is to keep adds off of sites you view you will have to try something else. Shorewall is meant to be a protective firewall not a restrictive firewall. This is probably a move by gogle, to force you to keep allowing their adds in order to use their search and other tools they offer. Todd Johnson todd@toddejohnson.net J and T wrote:> Hello Tom, > > I tried this same rule to block Google''s Adsense that you''ll find on > everyone''s site. Adsense is a Javascript that people add to their Web > pages. So I entered the rule: > > REJECT fw net:pagead2.googlesyndication.com all > > However, this also sometimes restricts access to "google.com". Why is > that? Using dig, I found these IPs for domain googlesyndication.com: > > 216.239.37.99 > 216.239.39.99 > > And this for google.com: > > 216.239.37.99 > 216.239.39.99 > 216.239.57.99 > > So my guess is that you are not actually blocking the domain, but > rather the IP being called. Is that right? If so, how in the world do > you block an actual domain name? > > Thanks, > John > > >> Aventino Faria wrote: >> > Hi, >> > >> > like implementing this script with shorewall? >> > -------------------------------------------- >> > #!/bin/sh >> > >> > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut >> -f5 | >> > while read aolblock1; do >> > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP >> > done >> >> Most people would have just coded: >> >> iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP >> >> which translates into this Shorewall rule: >> >> DROP $FW net:ads.web.aol.com all >> >> - -Tom >> - -- >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >> Shoreline, \ http://shorewall.net >> Washington USA \ teastep@shorewall.net >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.6 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org >> >> iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV >> QroaowxwnrOWQ0mBjY/eMQ4>> =lE8q >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > > > _________________________________________________________________ > Check out Election 2004 for up-to-date election news, plus voter tools > and more! http://special.msn.com/msn/election2004.armx > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Of course this reply was a direct response to your reply to the posting of "Block domains with Shorewall". So directing it to "Hello Tom" seems to be appropriate to me at the time. I was mearly pointing out that blocking by domain as you stated actually seems to block by IP rather than the domain name as I pointed out in my example. If you would rather I not reply to the person of a posting then I will just reply to the list and disregard the poster. Later, John>J and T wrote: > > Hello Tom, > >Effective immediately, I''m going to stop answering any post to the lists >that begins "Hello Tom". Folks, this is a list of over 1,000 subscribers >and unless we find a way to let the other 999+ contribute meaningfully >to the Shorewall support load, I''m out of here. > >- -Tom_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Have you not heard of name based hosting? You could easily have hundreds of domain names tied to a single IP. So by entering "xyz.com" you could actually be blocking hundreds of other domains. I was mearly pointing out that by entering a domain name: DROP $FW net:xyz.com all could have easily blocked other sites that you had no idea you were blocking. So the above rule is not a block by domain name as stated, but rather the IP as returned at the time DNS made a query for the domain. So the point is that blocking by domain name can and probably is a dangerous way of filtering. Later, John>A domain name is just a user friendly name that is linked to an ipaddress, >so wouldn''t this outcome make sense. What is the purpose you are trying to >achieve by the blocking a domain name? If it was for web content filtering >try something like squid and davesguardian. But if it is to keep adds off >of sites you view you will have to try something else. Shorewall is meant >to be a protective firewall not a restrictive firewall. This is probably a >move by gogle, to force you to keep allowing their adds in order to use >their search and other tools they offer. > >Todd Johnson >todd@toddejohnson.net > >J and T wrote: > >>Hello Tom, >> >>I tried this same rule to block Google''s Adsense that you''ll find on >>everyone''s site. Adsense is a Javascript that people add to their Web >>pages. So I entered the rule: >> >>REJECT fw net:pagead2.googlesyndication.com all >> >>However, this also sometimes restricts access to "google.com". Why is >>that? Using dig, I found these IPs for domain googlesyndication.com: >> >>216.239.37.99 >>216.239.39.99 >> >>And this for google.com: >> >>216.239.37.99 >>216.239.39.99 >>216.239.57.99 >> >>So my guess is that you are not actually blocking the domain, but rather >>the IP being called. Is that right? If so, how in the world do you block >>an actual domain name? >> >>Thanks, >>John >> >> >>>Aventino Faria wrote: >>> > Hi, >>> > >>> > like implementing this script with shorewall? >>> > -------------------------------------------- >>> > #!/bin/sh >>> > >>> > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut -f5 >>>| >>> > while read aolblock1; do >>> > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP >>> > done >>> >>>Most people would have just coded: >>> >>>iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP >>> >>>which translates into this Shorewall rule: >>> >>>DROP $FW net:ads.web.aol.com all >>> >>>- -Tom >>>- -- >>>Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >>>Shoreline, \ http://shorewall.net >>>Washington USA \ teastep@shorewall.net >>>PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >>>-----BEGIN PGP SIGNATURE----- >>>Version: GnuPG v1.2.6 (GNU/Linux) >>>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org >>> >>>iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV >>>QroaowxwnrOWQ0mBjY/eMQ4>>>=lE8q >>>-----END PGP SIGNATURE----- >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>Support: http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >> >> >>_________________________________________________________________ >>Check out Election 2004 for up-to-date election news, plus voter tools and >>more! http://special.msn.com/msn/election2004.armx >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Yes I do know of name based hosting. However shorewall is not meant to block outgoing connections. It is meant to keep people out of your network. It does have the facility to also block outgoing places. You could find this more of a problem of iptables because shorewall is just built on top of it. In this case you are posting in the wrong spot. Todd J and T wrote:> Have you not heard of name based hosting? You could easily have > hundreds of domain names tied to a single IP. So by entering "xyz.com" > you could actually be blocking hundreds of other domains. I was mearly > pointing out that by entering a domain name: > > DROP $FW net:xyz.com all > > could have easily blocked other sites that you had no idea you were > blocking. So the above rule is not a block by domain name as stated, > but rather the IP as returned at the time DNS made a query for the > domain. So the point is that blocking by domain name can and probably > is a dangerous way of filtering. > > Later, > John > >> A domain name is just a user friendly name that is linked to an >> ipaddress, so wouldn''t this outcome make sense. What is the purpose >> you are trying to achieve by the blocking a domain name? If it was >> for web content filtering try something like squid and >> davesguardian. But if it is to keep adds off of sites you view you >> will have to try something else. Shorewall is meant to be a >> protective firewall not a restrictive firewall. This is probably a >> move by gogle, to force you to keep allowing their adds in order to >> use their search and other tools they offer. >> >> Todd Johnson >> todd@toddejohnson.net >> >> J and T wrote: >> >>> Hello Tom, >>> >>> I tried this same rule to block Google''s Adsense that you''ll find on >>> everyone''s site. Adsense is a Javascript that people add to their >>> Web pages. So I entered the rule: >>> >>> REJECT fw net:pagead2.googlesyndication.com all >>> >>> However, this also sometimes restricts access to "google.com". Why >>> is that? Using dig, I found these IPs for domain googlesyndication.com: >>> >>> 216.239.37.99 >>> 216.239.39.99 >>> >>> And this for google.com: >>> >>> 216.239.37.99 >>> 216.239.39.99 >>> 216.239.57.99 >>> >>> So my guess is that you are not actually blocking the domain, but >>> rather the IP being called. Is that right? If so, how in the world >>> do you block an actual domain name? >>> >>> Thanks, >>> John >>> >>> >>>> Aventino Faria wrote: >>>> > Hi, >>>> > >>>> > like implementing this script with shorewall? >>>> > -------------------------------------------- >>>> > #!/bin/sh >>>> > >>>> > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | >>>> cut -f5 | >>>> > while read aolblock1; do >>>> > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP >>>> > done >>>> >>>> Most people would have just coded: >>>> >>>> iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP >>>> >>>> which translates into this Shorewall rule: >>>> >>>> DROP $FW net:ads.web.aol.com all >>>> >>>> - -Tom >>>> - -- >>>> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >>>> Shoreline, \ http://shorewall.net >>>> Washington USA \ teastep@shorewall.net >>>> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.2.6 (GNU/Linux) >>>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org >>>> >>>> iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV >>>> QroaowxwnrOWQ0mBjY/eMQ4>>>> =lE8q >>>> -----END PGP SIGNATURE----- >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Post: Shorewall-users@lists.shorewall.net >>>> Subscribe/Unsubscribe: >>>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>> Support: http://www.shorewall.net/support.htm >>>> FAQ: http://www.shorewall.net/FAQ.htm >>> >>> >>> >>> _________________________________________________________________ >>> Check out Election 2004 for up-to-date election news, plus voter >>> tools and more! http://special.msn.com/msn/election2004.armx >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > > > _________________________________________________________________ > On the road to retirement? Check out MSN Life Events for advice on how > to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
I was mearly pointing out to Tom (author of Shorewall) who replied to the above post and said:>Most people would have just coded: > >iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP > >which translates into this Shorewall rule: > >DROP $FW net:ads.web.aol.com all > >- -TomSo I was just letting the original poster know that this rule is not a safe rule as they could easily be blocking other services offered by AOL or any other domain hosted on that IP. I fully understand that shorewall uses iptables, but since Tom told the person to use this rule, I thought it was only appropriate that I also point out that this is not a domain block, but intead an IP block for the domain at the time DNS returned the IP address. So I''m not complaining about shorewall, but just trying to contribute and let the person know that this rule may not work as expected. Later, John>Yes I do know of name based hosting. However shorewall is not meant to >block outgoing connections. It is meant to keep people out of your >network. It does have the facility to also block outgoing places. You >could find this more of a problem of iptables because shorewall is just >built on top of it. In this case you are posting in the wrong spot. > >Todd > > >J and T wrote: > >>Have you not heard of name based hosting? You could easily have hundreds >>of domain names tied to a single IP. So by entering "xyz.com" you could >>actually be blocking hundreds of other domains. I was mearly pointing out >>that by entering a domain name: >> >>DROP $FW net:xyz.com all >> >>could have easily blocked other sites that you had no idea you were >>blocking. So the above rule is not a block by domain name as stated, but >>rather the IP as returned at the time DNS made a query for the domain. So >>the point is that blocking by domain name can and probably is a dangerous >>way of filtering. >> >>Later, >>John >> >>>A domain name is just a user friendly name that is linked to an >>>ipaddress, so wouldn''t this outcome make sense. What is the purpose you >>>are trying to achieve by the blocking a domain name? If it was for web >>>content filtering try something like squid and davesguardian. But if it >>>is to keep adds off of sites you view you will have to try something >>>else. Shorewall is meant to be a protective firewall not a restrictive >>>firewall. This is probably a move by gogle, to force you to keep >>>allowing their adds in order to use their search and other tools they >>>offer. >>> >>>Todd Johnson >>>todd@toddejohnson.net >>> >>>J and T wrote: >>> >>>>Hello Tom, >>>> >>>>I tried this same rule to block Google''s Adsense that you''ll find on >>>>everyone''s site. Adsense is a Javascript that people add to their Web >>>>pages. So I entered the rule: >>>> >>>>REJECT fw net:pagead2.googlesyndication.com all >>>> >>>>However, this also sometimes restricts access to "google.com". Why is >>>>that? Using dig, I found these IPs for domain googlesyndication.com: >>>> >>>>216.239.37.99 >>>>216.239.39.99 >>>> >>>>And this for google.com: >>>> >>>>216.239.37.99 >>>>216.239.39.99 >>>>216.239.57.99 >>>> >>>>So my guess is that you are not actually blocking the domain, but rather >>>>the IP being called. Is that right? If so, how in the world do you block >>>>an actual domain name? >>>> >>>>Thanks, >>>>John >>>> >>>> >>>>>Aventino Faria wrote: >>>>> > Hi, >>>>> > >>>>> > like implementing this script with shorewall? >>>>> > -------------------------------------------- >>>>> > #!/bin/sh >>>>> > >>>>> > dig ads.web.aol.com | grep "ads." | grep -v \; | grep -v \< | cut >>>>>-f5 | >>>>> > while read aolblock1; do >>>>> > iptables -A OUTPUT -p all --destination $aolblock1 -j DROP >>>>> > done >>>>> >>>>>Most people would have just coded: >>>>> >>>>>iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP >>>>> >>>>>which translates into this Shorewall rule: >>>>> >>>>>DROP $FW net:ads.web.aol.com all >>>>> >>>>>- -Tom >>>>>- -- >>>>>Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >>>>>Shoreline, \ http://shorewall.net >>>>>Washington USA \ teastep@shorewall.net >>>>>PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >>>>>-----BEGIN PGP SIGNATURE----- >>>>>Version: GnuPG v1.2.6 (GNU/Linux) >>>>>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org >>>>> >>>>>iD8DBQFBXIjOO/MAbZfjDLIRAv34AKCtQvCuJ6hflhcUDmm49qyTO07D7ACaAnsV >>>>>QroaowxwnrOWQ0mBjY/eMQ4>>>>>=lE8q >>>>>-----END PGP SIGNATURE----- >>>>>_______________________________________________ >>>>>Shorewall-users mailing list >>>>>Post: Shorewall-users@lists.shorewall.net >>>>>Subscribe/Unsubscribe: >>>>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>>>Support: http://www.shorewall.net/support.htm >>>>>FAQ: http://www.shorewall.net/FAQ.htm >>>> >>>> >>>> >>>>_________________________________________________________________ >>>>Check out Election 2004 for up-to-date election news, plus voter tools >>>>and more! http://special.msn.com/msn/election2004.armx >>>> >>>>_______________________________________________ >>>>Shorewall-users mailing list >>>>Post: Shorewall-users@lists.shorewall.net >>>>Subscribe/Unsubscribe: >>>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>>Support: http://www.shorewall.net/support.htm >>>>FAQ: http://www.shorewall.net/FAQ.htm >>> >>> >>> >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>>Support: http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >> >> >>_________________________________________________________________ >>On the road to retirement? Check out MSN Life Events for advice on how to >>get there! http://lifeevents.msn.com/category.aspx?cid=Retirement >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 J and T wrote:> Of course this reply was a direct response to your reply to the posting > of "Block domains with Shorewall". So directing it to "Hello Tom" seems > to be appropriate to me at the time. I was mearly pointing out that > blocking by domain as you stated actually seems to block by IP rather > than the domain name as I pointed out in my example. If you would rather > I not reply to the person of a posting then I will just reply to the > list and disregard the poster. >Yes, in your case my snipping was problably unwarrented and I apologize. I think it''s time for me to add your question to the FAQ since we seem to end up answering it every few months. A draft of the FAQ answer follows: - ----------------------------------------------------------------------- Packet filters like Netfilter base their decisions on the contents of the various protocol headers at the front of each packet. Stateful packet filters (of which Netfilter is an example) use a combination of header contents and state created when the packet filter processed earlier packets. Netfilter (and Shorewall''s use of netfilter) also consider the network interface(s) where each packet entered and/or where the packet will leave the firewall/router. Given that name-based multiple hosting is a common practice (example: lists.shorewall.net and www1.shorewall.net are both hosted on the same system with a single IP address), it is not possible to filter connections to a particular name by examiniation of protocol headers alone. While some protocols such as FTP require the firewall to examine and possibly modify packet payload, parsing the payload of individual packets doesn''t always work because the application-level data stream can be split across packets in arbitrary ways. This is one of the weaknesses of the ''string match'' Netfilter extension available in Patch-O-Matic. The only sure way to filter on packet content is to proxy the connections in question -- in the case of HTTP, this means running something like Squid. Proxying allows the proxy process to assemble complete application-level messages which can then be accurately parsed and decisions can be made based on the result. - ----------------------------------------------------------------------- Comments and corrections are welcome, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXWvBO/MAbZfjDLIRApNvAJ9R+mIaWLUIOdsFA7+uWWsx90g7ZwCgjaFO XHdoNJ+3Dajrp+M86rn9aV8=hBu+ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Johnson wrote:> Yes I do know of name based hosting. However shorewall is not meant to > block outgoing connections.I think that a better way of stating this is that "Shorewall is not meant for content filtering" (see http://shorewall.net/Shorewall_Doesnt.html). For packets that are being forwarded through a Shorewall box, Shorewall itself has no concept of incoming or outgoing so exactly the same feature set is available for filtering outgoing connections and incoming connections. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXXAtO/MAbZfjDLIRAtHMAJ9pPLjqe7p+P7SuYQwtTpK8SRrjtgCgsJZo lEFIt/spJcSIiYXtnZAqIpY=m79X -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> I think it''s time for me to add your question to the FAQ since we seem > to end up answering it every few months.Please see http://shorewall.net/FAQ.htm#faq39 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXXfTO/MAbZfjDLIRAmobAKCE3NMJF6CKwyeql34Fb1KRHAlCRgCfQIU0 YnZHg9B0KrHkAxRG2mxnmQ8=nrN2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 J and T wrote:> I was mearly pointing out to Tom (author of Shorewall) who replied to > the above post and said: > >> Most people would have just coded: >> >> iptables -A OUTPUT -p all --destination ads.web.aol.com -j DROP >> >> which translates into this Shorewall rule: >> >> DROP $FW net:ads.web.aol.com all >> >> - -Tom > > > So I was just letting the original poster know that this rule is not a > safe rule as they could easily be blocking other services offered by AOL > or any other domain hosted on that IP. I fully understand that shorewall > uses iptables, but since Tom told the person to use this rule, I thought > it was only appropriate that I also point out that this is not a domain > block, but intead an IP block for the domain at the time DNS returned > the IP address. So I''m not complaining about shorewall, but just trying > to contribute and let the person know that this rule may not work as > expected.But at least the rule does the same thing as the lengthier script that the OP was asking about. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXZM6O/MAbZfjDLIRAnNfAJ9foJ+3HJRNDkrVAkeSN0wSPP6mFwCgtMzE M9INRKeAwtIrtiscw13qLVk=dgtP -----END PGP SIGNATURE-----