Shorewall users - Feb 2005 - blacklists and rules

Hi People, what files is processed first?, balcklist or rules, i want to
globally filter imesh, but at the same time allow managers to connect, i.e.
, imesh work on port 1214, i have  this:


/etc/shorewall/blacklist

#ADDRESS/SUBNET         PROTOCOL        PORT
192.168.0.0/16                   tcp                     1214
192.168.0.0/16                   udp                     1214


/etc/shorewall/rules

############################################################################
##
#ACTION  SOURCE                 DEST                       PROTO   DEST
SOURCE     ORIGINAL
ACCEPT   loc:192.168.10.124   net                           tcp         1214
DNAT        net                          loc:192.168.10.124   tcp
6881




the 192.168.0.0/16 is our corporate network, 192.168.10.124 is my boos''
ip
address, but i get this in the log:

Feb  7 15:35:30 proxy kernel: Shorewall:blacklst:DROP:IN=eth1 OUT=eth0
SRC=192.168.10.124 DST=212.179.35.119 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=59096 DF PROTO=TCP SPT=2413 DPT=1214 WINDOW=65535 RES=0x00 SYN URGP=0 


Any workaround of this or it cant be done?

BTW, the dnat lines in rules is recommended for gnutella, if i have the
redirect rules i also need the accept rule pointing to the firewall itself
or shorewall automatically allow incoming traffic to the port 6881?

thanks
Miguel Miranda

/etc/shorewall/rules

DROP:info          loc:!192.168.10.124  net                          
tcp         1214

 /etc/shorewall/blacklist
(blank)

bye.



On Mon, 7 Feb 2005 15:34:16 -0600, mmiranda@americatel.com.sv
<mmiranda@americatel.com.sv> wrote:
> Hi People, what files is processed first?, balcklist or rules, i want to
> globally filter imesh, but at the same time allow managers to connect, i.e.
> , imesh work on port 1214, i have  this:
> 
> /etc/shorewall/blacklist
> 
> #ADDRESS/SUBNET         PROTOCOL        PORT
> 192.168.0.0/16                   tcp                     1214
> 192.168.0.0/16                   udp                     1214
> 
> /etc/shorewall/rules
> 
>
############################################################################
> ##
> #ACTION  SOURCE                 DEST                       PROTO   DEST
> SOURCE     ORIGINAL
> ACCEPT   loc:192.168.10.124   net                           tcp        
1214
DROP          loc:!192.168.10.124  net                           tcp  
      1214
> DNAT        net                          loc:192.168.10.124   tcp
> 6881
> 
> the 192.168.0.0/16 is our corporate network, 192.168.10.124 is my
boos'' ip
> address, but i get this in the log:
> 
> Feb  7 15:35:30 proxy kernel: Shorewall:blacklst:DROP:IN=eth1 OUT=eth0
> SRC=192.168.10.124 DST=212.179.35.119 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=59096 DF PROTO=TCP SPT=2413 DPT=1214 WINDOW=65535 RES=0x00 SYN URGP=0
> 
> Any workaround of this or it cant be done?
> 
> BTW, the dnat lines in rules is recommended for gnutella, if i have the
> redirect rules i also need the accept rule pointing to the firewall itself
> or shorewall automatically allow incoming traffic to the port 6881?
> 
> thanks
> Miguel Miranda
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Cristian Rodriguez wrote:
> /etc/shorewall/rules
> 
> DROP:info          loc:!192.168.10.124  net                          
> tcp         1214
> 
>  /etc/shorewall/blacklist
> (blank)
I think you wanted a net->loc rule rather than a loc->net.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key