Hi all, I need to block a range of IPs (for example 192.168.2.50 - 192.168.2.60 ), but I can''t seem to figure out how to do that. I''ve got a blacklist file that I use to add single addresses, but when it comes to ranges - it is inconvenient to list all IPs one by one, and I didn''t understand the docs on this subject. Can someone help me? Thanks! JP ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
George wrote:> Hi all, > > I need to block a range of IPs (for example 192.168.2.50 – 192.168.2.60 > ), but I can’t seem to figure out how to do that. I’ve got a blacklist > file that I use to add single addresses, but when it comes to ranges – > it is inconvenient to list all IPs one by one, and I didn’t understand > the docs on this subject. Can someone help me? >Shorewall 3.4 allows you to simply include the range as 192.168.2.50-192.168.2.60 (notice that no embedded space is allowed). I just uploaded 3.4.1 to http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.1/ and that version is preferred over 3.4.0 which has a number of issues). Otherwise, use the "shorewall iprange" command to convert the range into a series of networks: root@lists:~/shorewall-3.4.1# shorewall iprange 192.168.2.50-192.168.2.60 192.168.2.50/31 192.168.2.52/30 192.168.2.56/30 192.168.2.60 root@lists:~/shorewall-3.4.1# You would then add 4 records to /etc/shorewall/blacklist with the above for networks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Can someone help me with this ? _____ From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of George Sent: Thursday, March 15, 2007 9:59 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Blocking IP range (shorewall v3.0) Hi all, I need to block a range of IPs (for example 192.168.2.50 - 192.168.2.60 ), but I can''t seem to figure out how to do that. I''ve got a blacklist file that I use to add single addresses, but when it comes to ranges - it is inconvenient to list all IPs one by one, and I didn''t understand the docs on this subject. Can someone help me? Thanks! JP ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
George wrote:> Can someone help me with this ?I responded yesterday!!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi JP, Its Ahmed here. The problem you wrote seems to have roots in old version of host OS installed. Can you elaborate a little more which OS and Version / build are you using ? I had the same problem when i was operating shorewall under Redhat Linux 9. What i figured out was that the IPTABLES in that linux build didn''t have capability for IP Range matching. I googled for that solutinon and found that rather advance release of linux OSs have this capability so i installed Fedora Core 4 and same rules worked just great. Its goes like this, if you want to allow only IPs from 4.51 to 4.79 to access the internet zone. ACCEPT loc:192.168.4.51-192.168.4.79 net Hope this helps. Regards, Asim Ahmed IT Manager. Folio3 On 3/17/07, George <grandpimp@cox.net> wrote:> Can someone help me with this ? > > > > _____ > > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of George > Sent: Thursday, March 15, 2007 9:59 AM > To: shorewall-users@lists.sourceforge.net > Subject: [Shorewall-users] Blocking IP range (shorewall v3.0) > > > > Hi all, > > I need to block a range of IPs (for example 192.168.2.50 - 192.168.2.60 ), > but I can''t seem to figure out how to do that. I''ve got a blacklist file > that I use to add single addresses, but when it comes to ranges - it is > inconvenient to list all IPs one by one, and I didn''t understand the docs on > this subject. Can someone help me? > > > > Thanks! > > > > JP > >-- Regards, Asim Ahmed Khan Contact : 0345-2109368 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi! Well, I''m running Gentoo-r5 with 2.6.14 kernel on x86 architecture with Shorewall 3.0.8. I''m sure all the right modules/kernel features are eneabled, but I can''t figure our the syntax of the line to block a range in my "blacklist" file. Do I just add this in there?: 192.168.4.51-192.168.4.79 Thanks for the help. JP -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Asim Ahmed Khan Sent: Saturday, March 17, 2007 12:29 AM To: Shorewall Users Subject: Re: [Shorewall-users] Blocking IP range (shorewall v3) Hi JP, Its Ahmed here. The problem you wrote seems to have roots in old version of host OS installed. Can you elaborate a little more which OS and Version / build are you using ? I had the same problem when i was operating shorewall under Redhat Linux 9. What i figured out was that the IPTABLES in that linux build didn''t have capability for IP Range matching. I googled for that solutinon and found that rather advance release of linux OSs have this capability so i installed Fedora Core 4 and same rules worked just great. Its goes like this, if you want to allow only IPs from 4.51 to 4.79 to access the internet zone. ACCEPT loc:192.168.4.51-192.168.4.79 net Hope this helps. Regards, Asim Ahmed IT Manager. Folio3 On 3/17/07, George <grandpimp@cox.net> wrote:> Can someone help me with this ? > > > > _____ > > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of George > Sent: Thursday, March 15, 2007 9:59 AM > To: shorewall-users@lists.sourceforge.net > Subject: [Shorewall-users] Blocking IP range (shorewall v3.0) > > > > Hi all, > > I need to block a range of IPs (for example 192.168.2.50 - 192.168.2.60 ), > but I can''t seem to figure out how to do that. I''ve got a blacklist file > that I use to add single addresses, but when it comes to ranges - it is > inconvenient to list all IPs one by one, and I didn''t understand the docson> this subject. Can someone help me? > > > > Thanks! > > > > JP > >-- Regards, Asim Ahmed Khan Contact : 0345-2109368 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
To quote the documentation for /etc/shorewall/rules:
SOURCE
<snip>
subnet
refers to a connection request from any host in the specified
subnet (example net:155.186.235.0/24). IP address ranges of the form
<first address>-<last address> may be specified. This requires that
your kernel and iptables have iprange match support.
HTH
Will
On 3/17/07, George <grandpimp@cox.net> wrote:> Hi!
> Well, I''m running Gentoo-r5 with 2.6.14 kernel on x86 architecture
with
> Shorewall 3.0.8. I''m sure all the right modules/kernel features
are
> eneabled, but I can''t figure our the syntax of the line to block a
range in
> my "blacklist" file.
> Do I just add this in there?:
>
> 192.168.4.51-192.168.4.79
>
> Thanks for the help.
>
> JP
>
> -----Original Message-----
> From: shorewall-users-bounces@lists.sourceforge.net
> [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Asim
> Ahmed Khan
> Sent: Saturday, March 17, 2007 12:29 AM
> To: Shorewall Users
> Subject: Re: [Shorewall-users] Blocking IP range (shorewall v3)
>
> Hi JP,
>
> Its Ahmed here. The problem you wrote seems to have roots in old
> version of host OS installed. Can you elaborate a little more which OS
> and Version / build are you using ? I had the same problem when i was
> operating shorewall under Redhat Linux 9. What i figured out was that
> the IPTABLES in that linux build didn''t have capability for IP
Range
> matching. I googled for that solutinon and found that rather advance
> release of linux OSs have this capability so i installed Fedora Core 4
> and same rules worked just great. Its goes like this, if you want to
> allow only IPs from 4.51 to 4.79 to access the internet zone.
>
> ACCEPT loc:192.168.4.51-192.168.4.79 net
>
> Hope this helps.
>
> Regards,
>
> Asim Ahmed
> IT Manager.
> Folio3
>
> On 3/17/07, George <grandpimp@cox.net> wrote:
> > Can someone help me with this ?
> >
> >
> >
> > _____
> >
> > From: shorewall-users-bounces@lists.sourceforge.net
> > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of
George
> > Sent: Thursday, March 15, 2007 9:59 AM
> > To: shorewall-users@lists.sourceforge.net
> > Subject: [Shorewall-users] Blocking IP range (shorewall v3.0)
> >
> >
> >
> > Hi all,
> >
> > I need to block a range of IPs (for example 192.168.2.50 -
192.168.2.60 ),
> > but I can''t seem to figure out how to do that. I''ve
got a blacklist file
> > that I use to add single addresses, but when it comes to ranges - it
is
> > inconvenient to list all IPs one by one, and I didn''t
understand the docs
> on
> > this subject. Can someone help me?
> >
> >
> >
> > Thanks!
> >
> >
> >
> > JP
> >
> >
>
>
> --
> Regards,
>
> Asim Ahmed Khan
> Contact : 0345-2109368
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV