Hi, I''v been looking for a solution to deny some special clients from access the internet by adding their ip to the blacklist. That works fine. Now I''d like to allow access to my webserver in the dmz. How to to this? Thanks for the hint to the right documentation! Regards Götz Reinicke -- Götz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Götz Reinicke wrote:> Hi, > > I''v been looking for a solution to deny some special clients from access > the internet by adding their ip to the blacklist. That works fine. > > Now I''d like to allow access to my webserver in the dmz. How to to this?Don''t use the blacklist for denying net access. Use "REJECT loc:<ip address list> net" rules instead.> > Thanks for the hint to the right documentation! >man shorewall-rules -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Götz Reinicke
2007-Nov-21 16:56 UTC
{Spam?} Re: Allow blacklisted hosts to access the dmz - how to
Tom Eastep schrieb:> Götz Reinicke wrote: >> Hi, >> >> I''v been looking for a solution to deny some special clients from access >> the internet by adding their ip to the blacklist. That works fine. >> >> Now I''d like to allow access to my webserver in the dmz. How to to this? > > Don''t use the blacklist for denying net access. Use "REJECT loc:<ip address > list> net" rules instead.Thanks Tom! Thats all information I needed to do the changes! Best regards Götz ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Götz Reinicke
2007-Nov-22 10:12 UTC
Re: Allow blacklisted hosts to access the dmz - how to
Tom Eastep schrieb:> Götz Reinicke wrote: >> Hi, >> >> I''v been looking for a solution to deny some special clients from access >> the internet by adding their ip to the blacklist. That works fine. >> >> Now I''d like to allow access to my webserver in the dmz. How to to this? > > Don''t use the blacklist for denying net access. Use "REJECT loc:<ip address > list> net" rules instead.Hi, where should the REJECT rules be placed best? At the top or bottom of the rules file? Or dose this dosen''t matter? Regards Götz -- Götz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Karsten Bräckelmann
2007-Nov-22 12:08 UTC
Rules ordering (was: Re: Allow blacklisted hosts to access the dmz - how to)
On Thu, 2007-11-22 at 11:12 +0100, Götz Reinicke wrote:> >> I'v been looking for a solution to deny some special clients from access > >> the internet by adding their ip to the blacklist. That works fine. > >> > >> Now I'd like to allow access to my webserver in the dmz. How to to this? > > > > Don't use the blacklist for denying net access. Use "REJECT loc:<ip address > > list> net" rules instead.> where should the REJECT rules be placed best? At the top or bottom of > the rules file? Or dose this dosen't matter?Before any other, more general rule that matches. You can think of the rules being evaluated in order [1]. The first rule that matches will be applied. Thus, if you have some fine-grained rules for particular IPs or MAC addresses, just be sure to have them before more general rules, if any. Other than that, the order doesn't make much [2] of a difference. Feel free to keep them organized by zones, ports/services, clustered in logical units. karsten [1] Which of course is true only with the constraint of matching SOURCE and DEST zones. [2] However, within z1:z2 rules, all these rules need to be checked until there is a match or ultimately a policy will be enforced. Thus, if you expect http traffic almost exclusively and ssh occasionally, it may make sense to place the http rule first. That way, the majority of connections need to be checked against a single rule only. -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users