Is is possible to... Restrict all traffic two and from an internal ip address on a specific port? (ie, no port 80 outbound from 192.168.6.50, and block all returning packets to that same ip) Restrict all traffic out to an external ip address on a speicific port? (ie, no port 80 outbound to www.example.com [or its ip]) -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
> Subject: [Shorewall-users] Two questions> Is is possible to... > > Restrict all traffic two and from an internal ip address on a specific > port? (ie, no port 80 outbound from 192.168.6.50, and block all > returning packets to that same ip) > > Restrict all traffic out to an external ip address on a speicific port? > (ie, no port 80 outbound to www.example.com [or its ip]) > > -- > Landy J. Bible >yes, in rules: REJECT loc:192.168.6.50 net tcp 80 Netfilter doesn''t disconnect a previously allowed connection, have a look at ''cutter'' for that. REJECT loc net:badip tcp 80 When you block with shorewall, you''ll block all sites hosted at that ipadress. You should have a look at squid, for name based http traffic control. FAQ 39. Please disregard my previous post, quoting John about cutter, but it''s a great thread to read in the archives. Jerry
Jerry Vonau wrote:> ... > yes, in rules: > > REJECT loc:192.168.6.50 net tcp 80 > > ... > > REJECT loc net:badip tcp 80 > > When you block with shorewall, you''ll block all sites hosted > at that ipadress. You should have a look at squid, for name > based http traffic control. FAQ 39.Another option would be to add these hosts to a zone for disallowed web access and use: REJECT loc badweb tcp 80 and then use a CONTINUE policy to drop through to the other rules for net. -- Paul <http://paulgear.webhop.net> -- Did you know? Using HTML email (or "Rich Text" email) rather than plain text is less efficient, and makes you more vulnerable to security flaws in your computer software. Learn more about securing your computer at <http://www.kb.cert.org/vuls/id/713878>.