I have a request from a client to block access from the local network to a specific web site (facebook). I know the documentation states that I would be better off using squid but I don''t want to add another application just to filter traffic to 2 or 3 addresses. This is what I have and it seems to work. zones net ipv4 blk:net ipv4 hosts blk eth1:69.63.176.11,69.63.176.10,204.15.20.80 policy loc blk REJECT info loc all REJECT info blk loc REJECT info I am just wondering if there is a simpler or better way. Thanks ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sat, Apr 26, 2008 at 11:19:03AM -0700, Alan Madill wrote:> > zones > net ipv4 > blk:net ipv4 > > hosts > blk eth1:69.63.176.11,69.63.176.10,204.15.20.80 > > policy > loc blk REJECT info > loc all REJECT info > blk loc REJECT info > > I am just wondering if there is a simpler or better way. >As you pointed out, using squid is simpler. Shorewall is not a content filter. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Alan Madill wrote:>I have a request from a client to block access from the local network to >a specific web site (facebook). I know the documentation states that I >would be better off using squid but I don''t want to add another >application just to filter traffic to 2 or 3 addresses. > >This is what I have and it seems to work. > >zones >net ipv4 >blk:net ipv4 > >hosts >blk eth1:69.63.176.11,69.63.176.10,204.15.20.80 > >policy >loc blk REJECT info >loc all REJECT info >blk loc REJECT info > >I am just wondering if there is a simpler or better way.Well if it works ... But you can only block access to ALL sites on a server like this, you cannot block by URL which the various proxies can do. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Alan Madill wrote:> I have a request from a client to block access from the local network to > a specific web site (facebook). I know the documentation states that I > would be better off using squid but I don''t want to add another > application just to filter traffic to 2 or 3 addresses. > > This is what I have and it seems to work. > > zones > net ipv4 > blk:net ipv4 > > hosts > blk eth1:69.63.176.11,69.63.176.10,204.15.20.80 > ... > I am just wondering if there is a simpler or better way.If you want to do it dynamically, ''shorewall drop 204.15.20.80'' would probably be better, although note that it: - only drops incoming packets, and - doesn''t persist across shorewall restarts See http://linuxman.wikispaces.com/fail2ban for what i did to get fail2ban to drop traffic in both directions. Paul ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Paul Gear wrote:> Alan Madill wrote: > >> I have a request from a client to block access from the local network to >> a specific web site (facebook). I know the documentation states that I >> would be better off using squid but I don''t want to add another >> application just to filter traffic to 2 or 3 addresses. >> >> This is what I have and it seems to work. >> >> zones >> net ipv4 >> blk:net ipv4 >> >> hosts >> blk eth1:69.63.176.11,69.63.176.10,204.15.20.80 >> ... >> I am just wondering if there is a simpler or better way. >> > > If you want to do it dynamically, ''shorewall drop 204.15.20.80'' would > probably be better, although note that it: > - only drops incoming packets, and > - doesn''t persist across shorewall restarts >I tried the blacklist approach first. It doesn''t block traffic through the firewall, just to the firewall.> See http://linuxman.wikispaces.com/fail2ban for what i did to get > fail2ban to drop traffic in both directions. >That looks useful. A slightly different approach is with rascals - http://scott.wiersdorf.org/blog/sysadmin/rascals.html> Paul > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone