I currently block traffic from certain addresses using the blacklist file. Occasionally, a client is unable to connect to us because their address inadvertently gets added to the file. What I would like to provide is a way for any address to connect to my site on an alternate port. This port connects to a web server that sends out a page displaying their IP address. The idea is that if a client''s IP gets added to the blacklist file, I can have them point their browser to the alternate port. Get their IP and unblock them. So in short, is there a way to allow connections to a particular port from addresses in the blacklist file, while blocking the connections for all other ports? Thanks ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Nathan Gibbs wrote:> So in short, is there a way to allow connections to a particular port > from addresses in the blacklist file, while blocking the connections for > all other ports?There is no convenient way to do that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Wed, Jan 02, 2008 at 11:04:46AM -0800, Tom Eastep wrote:> Nathan Gibbs wrote: > > > So in short, is there a way to allow connections to a particular port > > from addresses in the blacklist file, while blocking the connections for > > all other ports? > > There is no convenient way to do that.Perl foreach (`cat /etc/shorewall/not-so-blacklist`) {shorewall "REJECT all:$_ all tcp 0:79,81:65535"} Or something along those lines. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Wed, Jan 02, 2008 at 11:04:46AM -0800, Tom Eastep wrote: >> Nathan Gibbs wrote: >> >>> So in short, is there a way to allow connections to a particular port >>> from addresses in the blacklist file, while blocking the connections for >>> all other ports? >> There is no convenient way to do that. > > Perl foreach (`cat /etc/shorewall/not-so-blacklist`) {shorewall "REJECT all:$_ all tcp 0:79,81:65535"} > > Or something along those lines.Which will allow TCP port 80 *and all other protocols* -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Wed, Jan 02, 2008 at 11:42:20AM -0800, Tom Eastep wrote:> Andrew Suffield wrote: > > On Wed, Jan 02, 2008 at 11:04:46AM -0800, Tom Eastep wrote: > >> Nathan Gibbs wrote: > >> > >>> So in short, is there a way to allow connections to a particular port > >>> from addresses in the blacklist file, while blocking the connections for > >>> all other ports? > >> There is no convenient way to do that. > > > > Perl foreach (`cat /etc/shorewall/not-so-blacklist`) {shorewall "REJECT all:$_ all tcp 0:79,81:65535"} > > > > Or something along those lines. > > Which will allow TCP port 80 *and all other protocols*Yes, you''d also need to explicitly reject those. On the other hand, you should have a default reject policy for everything but TCP, ICMP and UDP anyway. I probably forgot some other details. I spent about 30 seconds writing that line, don''t deploy it without thinking it over properly. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
* Tom Eastep wrote:> > There is no convenient way to do that. > > -TomShoot, Guess I''ll chuck the blacklist & go back to the Shorewall 1.x way ACCEPT net fw tcp port DROP net:BLA.CKL.IST.#01 fw all DROP net:BLA.CKL.IST.#XX fw all ACCEPT net fw tcp ports ACCEPT net fw udp ports ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, Using Shorewall 4.0.6. 2 Interfaces. How do I block P2P traffic on one IP I have added this to the rules, but its not working. REJECT loc:10.10.1.13 net tcp 7000:65535 REJECT loc:10.10.1.13 net udp 7000:65535 REJECT net loc:10.10.1.13 tcp 7000:65535REJECT net loc:10.10.1.13 udp 7000:65535 Is there something else that needs adding. Thanks _________________________________________________________________ Our Christmas gift for you: A brand new set of FREE and cool Windows Live services! http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:> > Hi, > > Using Shorewall 4.0.6. > 2 Interfaces. > > How do I block P2P traffic on one IPThe short answer is that you can''t -- and you will frustrate yourself trying. P2P software is very adept at sidestepping packet-filter firewalls. You can slow it down by proxying all web access from that host and configuring the proxy to disallow access to obvious P2P URLs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, Thanks for the info. When you say: "You can slow it down by proxying all web access from that host andconfiguring the proxy to disallow access to obvious P2P URLs." Do you mean install squid or should I use some other proxy server. I haven''t used a proxy server before, any help would be great. If you haven''t time its ok. Thanks.> Date: Wed, 2 Jan 2008 16:46:51 -0800> From: teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] How do I block P2P traffic in one IP> > P Hennessy wrote:> > > > Hi,> > > > Using Shorewall 4.0.6.> > 2 Interfaces.> > > > How do I block P2P traffic on one IP> > The short answer is that you can''t -- and you will frustrate yourself> trying. P2P software is very adept at sidestepping packet-filter firewalls.> > You can slow it down by proxying all web access from that host and> configuring the proxy to disallow access to obvious P2P URLs.> > -Tom> -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool> Shoreline, \ http://shorewall.net> Washington USA \ teastep@shorewall.net> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key>_________________________________________________________________ Our Christmas gift for you: A brand new set of FREE and cool Windows Live services! http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:> Hi, > > Thanks for the info. > > When you say: > "You can slow it down by proxying all web access from that host and > configuring the proxy to disallow access to obvious P2P URLs." > > Do you mean install squid or should I use some other proxy server. > I haven''t used a proxy server before, any help would be great.Yes -- I''m referring to Squid. Sorry, but I don''t have time to help you with Squid but there is a lot of documentation available, including on the Shorewall site (http://www.shorewall.net/Shorewall_Squid_Usage.html) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, Using Shorewall 4.0.7.3 Interfaces. I have setup a DMZ, but can''t get any access in or out. The loc is working fine for connection to $FW and net. eth0: for connection to Net using adsl ppp0 eth1: loc IP 10.10.1.3 netmask 255.0.0.0 eth2: dmz IP 10.10.2.3 netmask 255.0.0.0 INTERFACES: net ppp0 detect routefilter,norfc1918,tcpflags,blacklistmodem eth0 detectloc eth1 10.10.1.255 tcpflags,dhcpdmz eth2 10.10.2.255 tcpflags,dhcp MASQ: ppp0 eth1eth0 eth1eth0 eth2 POLICY: loc net REJECT infoloc $FW REJECT infoloc dmz REJECT infoloc all REJECT info$FW net REJECT info$FW loc REJECT info$FW dmz REJECT info$FW all REJECT infodmz net REJECT infodmz $FW REJECT infodmz loc REJECT infodmz all REJECT infonet $FW DROP infonet loc DROP infonet dmz DROP infonet all DROP infoall all REJECT info ROUTESTOPPED:eth1 -eth2 - ZONES: fw firewallnet ipv4loc ipv4dmz ipv4modem ipv4 RULES for DMZ: DNS/ACCEPT $FW dmzDNS/ACCEPT dmz $FW ACCEPT dmz net tcp 443 Ping/ACCEPT dmz locPing/ACCEPT loc dmzPing/ACCEPT $FW dmz Ping/ACCEPT dmz $FW REDIRECT dmz 3128 tcp !443 #SQUID ACCEPT $FW net tcp 80 Is there something else that needs adding. Thanks Patrick. _________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Jan 21, 2008 at 06:26:28PM +0000, P Hennessy wrote:> > Is there something else that needs adding. Thanks > Patrick.First, your email is so mangled as to be nearly unreadable. Please use plain text and if you have stuff that is better in columns, then align them properly. Additionally, please read the Shorewall Support Guide [0]. Regards, -Roberto [0] http://www.shorewall.net/support.htm -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:> Hi, > > Using Shorewall 4.0.7. > 3 Interfaces. > > I have setup a DMZ, but can''t get any access in or out. > The loc is working fine for connection to $FW and net. > > eth0: for connection to Net using adsl ppp0 > eth1: loc IP 10.10.1.3 netmask 255.0.0.0 > eth2: dmz IP 10.10.2.3 netmask 255.0.0.0 >Unworkable IP configuration. eth1 and eth2 ARE THE SAME NETWORK (10.0.0.0/8). You need netmask 255.255.255.0 (/24) so that eth1 is 10.10.1.0/24 and eth2 is 10.10.2.0/24. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thank you. That fixed it.> Date: Mon, 21 Jan 2008 10:32:01 -0800> From: teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Setting up a DMZ> > P Hennessy wrote:> > Hi,> > > > Using Shorewall 4.0.7.> > 3 Interfaces.> > > > I have setup a DMZ, but can''t get any access in or out.> > The loc is working fine for connection to $FW and net.> > > > eth0: for connection to Net using adsl ppp0> > eth1: loc IP 10.10.1.3 netmask 255.0.0.0> > eth2: dmz IP 10.10.2.3 netmask 255.0.0.0> >> > Unworkable IP configuration. eth1 and eth2 ARE THE SAME NETWORK> (10.0.0.0/8). You need netmask 255.255.255.0 (/24) so that eth1 is> 10.10.1.0/24 and eth2 is 10.10.2.0/24.> > -Tom> -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool> Shoreline, \ http://shorewall.net> Washington USA \ teastep@shorewall.net> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key>_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/