I am using shorewall 2.0.15 How can I negate some addresses from a zone REDIRECT. My firewall is set for VLAN. Each VLAN is a subnet in the 192.168.x.x /24 range. It seems that either VLAN is not compatible with some Microsoft product like outlook webmail (MTU problems) or doesn''t work well with transparent proxying of http request, therefore I need to not REDIRECT some of those subnet to my squid http cache. Right now I have something like that REDIRECT vlan:!192.168.213.0/24 3128 tcp http REDIRECT vlan:!192.168.252.0/24 3128 tcp http REDIRECT vlan:!192.168.204.0/24 3128 tcp http REDIRECT vlan:!192.168.224.0/24 3128 tcp http It works for the very first line but not for the rest which seem logical. I tried write it like that: REDIRECT vlan:!192.168.213.0/24,!192.168.252.0/24,!192.168.204.0/24,!192.168.224.0/24 3128 tcp http (sorry about wrapping, should read on one line) but it doesn''t seem to work either I have been thinking about making it a special zone, but don''t know how to negate a zone. Any help appreciated Regards Pascal
Pascal DeMilly wrote:> I am using shorewall 2.0.15 > > How can I negate some addresses from a zone REDIRECT. My firewall is set for > VLAN. Each VLAN is a subnet in the 192.168.x.x /24 range. It seems that > either VLAN is not compatible with some Microsoft product like outlook > webmail (MTU problems) or doesn''t work well with transparent proxying of http > request, therefore I need to not REDIRECT some of those subnet to my squid > http cache. > > Right now I have something like that > > REDIRECT vlan:!192.168.213.0/24 3128 tcp http > REDIRECT vlan:!192.168.252.0/24 3128 tcp http > REDIRECT vlan:!192.168.204.0/24 3128 tcp http > REDIRECT vlan:!192.168.224.0/24 3128 tcp http > > > It works for the very first line but not for the rest which seem logical. I > tried write it like that: > > REDIRECT > vlan:!192.168.213.0/24,!192.168.252.0/24,!192.168.204.0/24,!192.168.224.0/24 > 3128 tcp http > > (sorry about wrapping, should read on one line) but it doesn''t seem to work > either > > I have been thinking about making it a special zone, but don''t know how to > negate a zone. > > Any help appreciatedIf you make the four networks a separate nested zone "vlan1" then you can write: REDIRECT vlan!vlan1 3128 tcp http Alternatively, you can code: /etc/shorewall/params: VLAN1=192.168.213/24,192.168.242.0/24,192.168.204.0/24,192.168.224.0/24 /etc/shorewall/rules: NONAT vlan:$VLAN1 net tcp http REDIRECT vlan 3128 tcp http -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > If you make the four networks a separate nested zone "vlan1" then you can write: > > REDIRECT vlan!vlan1 3128 tcp http >Sorry -- the above is nonsense (I as confusing rules and masq syntax). The second approach that I described will work though. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Tom Eastep wrote: > >>If you make the four networks a separate nested zone "vlan1" then you can write: >> >>REDIRECT vlan!vlan1 3128 tcp http >> > > Sorry -- the above is nonsense (I as confusing rules and masq syntax). > The second approach that I described will work though. >AAARGGHHH! Turns out I did implement the above syntax. Don''t mind me.... -Tom PS -- for those of you running 2.5.1, the above syntax currently produces a startup error. That is a bug. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, thanks for your answer. I forgot about NONAT. Works like a charm As always, great software, great support Regards Pascal On Wednesday 10 August 2005 4:00 pm, Tom Eastep wrote:> Pascal DeMilly wrote: > > I am using shorewall 2.0.15 > > > > How can I negate some addresses from a zone REDIRECT. My firewall is set > > for VLAN. Each VLAN is a subnet in the 192.168.x.x /24 range. It seems > > that either VLAN is not compatible with some Microsoft product like > > outlook webmail (MTU problems) or doesn''t work well with transparent > > proxying of http request, therefore I need to not REDIRECT some of those > > subnet to my squid http cache. > > > > Right now I have something like that > > > > REDIRECT vlan:!192.168.213.0/24 3128 tcp http > > REDIRECT vlan:!192.168.252.0/24 3128 tcp http > > REDIRECT vlan:!192.168.204.0/24 3128 tcp http > > REDIRECT vlan:!192.168.224.0/24 3128 tcp http > > > > > > It works for the very first line but not for the rest which seem logical. > > I tried write it like that: > > > > REDIRECT > > vlan:!192.168.213.0/24,!192.168.252.0/24,!192.168.204.0/24,!192.168.224.0 > >/24 3128 tcp http > > > > (sorry about wrapping, should read on one line) but it doesn''t seem to > > work either > > > > I have been thinking about making it a special zone, but don''t know how > > to negate a zone. > > > > Any help appreciated > > If you make the four networks a separate nested zone "vlan1" then you can > write: > > REDIRECT vlan!vlan1 3128 tcp http > > Alternatively, you can code: > > /etc/shorewall/params: > > VLAN1=192.168.213/24,192.168.242.0/24,192.168.204.0/24,192.168.224.0/24 > > /etc/shorewall/rules: > > NONAT vlan:$VLAN1 net tcp http > REDIRECT vlan 3128 tcp http > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key