Hello. I have and email server running at my firewall box and i want do drop connections from an ip adress in local network. Ip of the firewall: 128.1.1.161 Ip i want to block: 128.1.1.1 I don´t want that ip (128.1.1.1) connect to my local mail server to send or receive emails. I have tried with this rule but don´t work for me. DROP loc:128.1.1.1 fw tcp 25,110 Can someone help me? Thanks Wilson Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Wilson A. Galafassi Jr. wrote:> > Hello. > I have and email server running at my firewall box and i want do drop > connections from an ip adress in local network. > > Ip of the firewall: 128.1.1.161 > Ip i want to block: 128.1.1.1 > > I don´t want that ip (128.1.1.1) connect to my local mail server to send or > receive emails. > > I have tried with this rule but don´t work for me. > > DROP loc:128.1.1.1 fw tcp 25,110 > > > Can someone help me?Where is your mail server and what is its IP address? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Wilson A. Galafassi Jr. wrote: >> Hello. >> I have and email server running at my firewall box and i want do drop >> connections from an ip adress in local network. >>Sorry -- I guess ''at my firewall box'' means that the mail server (and apparently the pop server) are running on the same system as Shorewall.>> Ip of the firewall: 128.1.1.161 >> Ip i want to block: 128.1.1.1 >> >> I don´t want that ip (128.1.1.1) connect to my local mail server to send or >> receive emails. >> >> I have tried with this rule but don´t work for me. >> >> DROP loc:128.1.1.1 fw tcp 25,110 >> >> >> Can someone help me? > > Where is your mail server and what is its IP address?So instead of that question, let me ask: a) What other rules for ports TCP port 25 and 110 do you have? b) Do they come before or after the rule that you post above? (Remember that entries in the rules file are order-sensitive and the first match determines the outcome). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
The mail server is running in the same box of the firewall (128.1.1.161). I want to block all comunications from the ip 128.1.1.1 to port 25/100. Thanks Wilson -----Mensagem original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: sexta-feira, 30 de junho de 2006 17:27 Para: Shorewall Users Assunto: Re: [Shorewall-users] rule don´t working Wilson A. Galafassi Jr. wrote:> > Hello. > I have and email server running at my firewall box and i want do drop > connections from an ip adress in local network. > > Ip of the firewall: 128.1.1.161 > Ip i want to block: 128.1.1.1 > > I don´t want that ip (128.1.1.1) connect to my local mail server to sendor> receive emails. > > I have tried with this rule but don´t work for me. > > DROP loc:128.1.1.1 fw tcp 25,110 > > > Can someone help me?Where is your mail server and what is its IP address? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Only to confirme. The pop and smtp run at same box of the firewall (128.1.1.161) and i want to block the ip 128.1.1.1 to don´t connect to that ports. Thanks Wilson All rules in my rules file: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP SECTION NEW # # Accept DNS connections from the firewall to the Internet # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Allow local DNS AllowDNS loc fw # # Accept SSH interno from Internet to Firewall ACCEPT net fw tcp 22 # Accept SSH netserver from Internet to Firewall ACCEPT net fw tcp 999 # # SSH Remoto #EXTERNO# DNAT net:200.175.102.220,200.175.100.64 loc:128.1.1.1 tcp 22 DROP loc:128.1.1.1 fw tcp 25,110 # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT net loc icmp 8 # static NAT # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -----Mensagem original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: sexta-feira, 30 de junho de 2006 17:36 Para: Shorewall Users Assunto: Re: [Shorewall-users] rule don´t working Tom Eastep wrote:> Wilson A. Galafassi Jr. wrote: >> Hello. >> I have and email server running at my firewall box and i want do drop >> connections from an ip adress in local network. >>Sorry -- I guess ''at my firewall box'' means that the mail server (and apparently the pop server) are running on the same system as Shorewall.>> Ip of the firewall: 128.1.1.161 >> Ip i want to block: 128.1.1.1 >> >> I don´t want that ip (128.1.1.1) connect to my local mail server to sendor>> receive emails. >> >> I have tried with this rule but don´t work for me. >> >> DROP loc:128.1.1.1 fw tcp 25,110 >> >> >> Can someone help me? > > Where is your mail server and what is its IP address?So instead of that question, let me ask: a) What other rules for ports TCP port 25 and 110 do you have? b) Do they come before or after the rule that you post above? (Remember that entries in the rules file are order-sensitive and the first match determines the outcome). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Wilson A. Galafassi Jr. wrote:> Only to confirme. The pop and smtp run at same box of the firewall > (128.1.1.161) and i want to block the ip 128.1.1.1 to don´t connect to that > ports. > > All rules in my rules file: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > SECTION NEW > # > # Accept DNS connections from the firewall to the Internet > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > # Allow local DNS > AllowDNS loc fw > # > # Accept SSH interno from Internet to Firewall > ACCEPT net fw tcp 22 > # Accept SSH netserver from Internet to Firewall > ACCEPT net fw tcp 999 > # > # SSH Remoto #EXTERNO# > DNAT net:200.175.102.220,200.175.100.64 loc:128.1.1.1 > tcp 22 > DROP loc:128.1.1.1 fw tcp 25,110 > # > # Make ping work bi-directionally between the dmz, net, Firewall and > local zone > # (assumes that the loc-> net policy is ACCEPT). > # > ACCEPT net fw icmp 8 > ACCEPT loc fw icmp 8 > ACCEPT fw net icmp > ACCEPT fw loc icmp > ACCEPT net loc icmp 8 # static NAT > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEI assume that you have a loc->fw ACCEPT policy then. I see nothing wrong with those rules -- so I guess the next thing is to: a) shorewall reset b) Connect from 128.1.1.1 to TCP port 25 on the firewall c) shorewall dump > /tmp/dump.txt d) Post /tmp/dump.txt as an attachment -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> > I see nothing wrong with those rules -- so I guess the next thing is to: > > a) shorewall reset > b) Connect from 128.1.1.1 to TCP port 25 on the firewall > c) shorewall dump > /tmp/dump.txt > d) Post /tmp/dump.txt as an attachmentBe sure to create a new connection. e.g., something like "telnet 128.1.1.161 25". Because Shorewall creates a statefull firewall, changing your rules doesn''t affect existing connections. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642