HI. My plan is to limit the ip address 192.168.3.150 to the local zone only. First my policy: loc all ACCEPT fw all ACCEPT net all DROP all all REJECT and my rules ACCEPT net fw icmp ACCEPT net fw tcp 80 #ACCEPT net fw tcp 20 #ACCEPT net fw tcp 21 ACCEPT net fw tcp ssh ACCEPT net fw tcp 49160:49300 when i add the rule REJECT loc:192.168.3.150 net all - and refresh schorewall of cause, nothing happens. He can still access the i net with the given ip. I would be even happier if i could limit him by his mac address but thats not to important. So please tell me what i got wrong. Toralf ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Le mercredi 21 mars 2007 à 09:00 +0100, Toralf Niebuhr a écrit :> HI. > > My plan is to limit the ip address 192.168.3.150 to the local zone only. > > First my policy: > > =====>>>>>>>>>>> loc all ACCEPTPolicies override any rules !!! should use reject/drop instead and allow some trafic in rules> fw all ACCEPT > net all DROP > all all REJECT > > and my rules > > ACCEPT net fw icmp > ACCEPT net fw tcp 80 > #ACCEPT net fw tcp 20 > #ACCEPT net fw tcp 21 > ACCEPT net fw tcp ssh > ACCEPT net fw tcp 49160:49300 > > when i add the rule > > REJECT loc:192.168.3.150 net all - > > and refresh schorewall of cause, nothing happens. He can still access > the i net with the given ip. > I would be even happier if i could limit him by his mac address but > thats not to important. > > So please tell me what i got wrong. > > Toralf > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
The order of the rules matters! Make sure that the reject rule comes before> loc all ACCEPT > fw all ACCEPT > net all DROP > all all REJECTPlease resend with relevant details as given in the shorewall.net troubleshooting link. Prasanna. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, Mar 21, 2007 at 09:28:25AM +0100, Tristan DEFERT wrote:> Le mercredi 21 mars 2007 à 09:00 +0100, Toralf Niebuhr a écrit : > > HI. > > > > My plan is to limit the ip address 192.168.3.150 to the local zone only. > > > > First my policy: > > > > =====>>>>>>>>>>> loc all ACCEPT > Policies override any rules !!! > should use reject/drop instead > and allow some trafic in rules >Actually, all that does is allow all outbound traffic from the local zone. If you change that to DROP or REJECT, then you must enable all outbound traffic on a case-by-case basis. That is usually not what people want. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tristan DEFERT wrote:> Le mercredi 21 mars 2007 à 09:00 +0100, Toralf Niebuhr a écrit : >> HI. >> >> My plan is to limit the ip address 192.168.3.150 to the local zone only. >> >> First my policy: >> >> =====>>>>>>>>>>> loc all ACCEPT > Policies override any rules !!!Nonsense!! Policies are default rules which get applied when a new connection doesn''t match any of the rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, 2007-03-21 at 14:04 +0530, Prasanna Krishnamoorthy wrote:> The order of the rules matters! > > Make sure that the reject rule comes before > > loc all ACCEPT > > fw all ACCEPT > > net all DROP > > all all REJECTWhile you are correct that the order of rules is important, the above are *policies* -- which always apply after rules. karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> I would be even happier if i could limit him by his mac address but > thats not to important.See the documentation for rules how MAC addresses are noted in Shorewall, and how to use it in rules. REJECT loc:~00-A0-C9-15-39-78 net karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tristan DEFERT wrote:>> ... >> Policies override any rules !!! >> ...Tom Eastep wrote:> ... > > Nonsense!! Policies are default rules which get applied when a new > connection doesn''t match any of the rules.Or to say it another way: - rules are exceptions to policies -- Paul <http://paulgear.webhop.net> -- Did you know? If you use two dashes followed by a space as your signature separator, good email programs will chop them off automatically, reducing noise in email replies. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV