Hi all, I Try use shorewall rules with time element but its never works, the rules look like this HTTPS(REJECT) loc net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri This rules for block https access to facebook site at working hours & day My system is Debian lenny, shorewall 4.4.4.2 kernel 2.6.30-bpo.2-amd64, the kernel module for time element already support. proxycbb:/etc/shorewall# grep MATCH_TIME /boot/config-2.6.30-bpo.2-amd64 CONFIG_NETFILTER_XT_MATCH_TIME=m And one thing /var/log/shorewall-init.log always empty, why ? Thanks Kurniadi ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2009 06:18 PM, kurniadi wrote:> Hi all, > > > I Try use shorewall rules with time element but its never works, the > rules look like this > > HTTPS(REJECT) loc > net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 > localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri > > This rules for block https access to facebook site at working hours & > day My system is Debian lenny, shorewall 4.4.4.2 kernel > 2.6.30-bpo.2-amd64, the kernel module for time element already > support. >Shorewall is not the proper tool for trying to limit traffic to a particular domain. You will never be able to keep up with the list of IP addresses used by facebook. See Shorewall FAQ 39 for more information.> proxycbb:/etc/shorewall# grep MATCH_TIME > /boot/config-2.6.30-bpo.2-amd64 CONFIG_NETFILTER_XT_MATCH_TIME=m > > And one thing /var/log/shorewall-init.log always empty, why ?Because no process is writing to it. What configuration options have you selected that makes you believe that the file should contain messages? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkspmbQACgkQO/MAbZfjDLJGJACglbB9oUuYFCzscWn4HOpHgKP7 DIsAoMqCXVYaToXCKHXQotiMuiXwofJw =EQ1j -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
2009/12/17, Tom Eastep <teastep@shorewall.net>:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/16/2009 06:18 PM, kurniadi wrote: >> Hi all, >> >> >> I Try use shorewall rules with time element but its never works, the >> rules look like this >> >> HTTPS(REJECT) loc >> net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 >> localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri >> >> This rules for block https access to facebook site at working hours & >> day My system is Debian lenny, shorewall 4.4.4.2 kernel >> 2.6.30-bpo.2-amd64, the kernel module for time element already >> support. >> > > Shorewall is not the proper tool for trying to limit traffic to a > particular domain. You will never be able to keep up with the list of IP > addresses used by facebook. See Shorewall FAQ 39 for more information. >Ok maybe this not perpect solution for block https, I will try in squid instead shoerwall. but why time element rule did not work ?, since this feature new in shorewall, im not found working example. Could you tell us example working rules> >> proxycbb:/etc/shorewall# grep MATCH_TIME >> /boot/config-2.6.30-bpo.2-amd64 CONFIG_NETFILTER_XT_MATCH_TIME=m >> >> And one thing /var/log/shorewall-init.log always empty, why ? > > Because no process is writing to it. What configuration options have you > selected that makes you believe that the file should contain messages?I found the problem in my shorewall.conf, empty in option STARTUP_LOG I already fix it... Kurniadi ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
2009/12/17, kurniadi <kurniadi2008@gmail.com>:> 2009/12/17, Tom Eastep <teastep@shorewall.net>: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/16/2009 06:18 PM, kurniadi wrote: >>> Hi all, >>> >>> >>> I Try use shorewall rules with time element but its never works, the >>> rules look like this >>> >>> HTTPS(REJECT) loc >>> net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 >>> localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri >>> >>> This rules for block https access to facebook site at working hours & >>> day My system is Debian lenny, shorewall 4.4.4.2 kernel >>> 2.6.30-bpo.2-amd64, the kernel module for time element already >>> support. >>> >> >> Shorewall is not the proper tool for trying to limit traffic to a >> particular domain. You will never be able to keep up with the list of IP >> addresses used by facebook. See Shorewall FAQ 39 for more information. >> > > Ok maybe this not perpect solution for block https, I will try in > squid instead shoerwall. > but why time element rule did not work ?, since this feature new in > shorewall, im not found working example. Could you tell us example > working rules >hmm after try and error a couple time this rule work with add - in the middle the rule look like this HTTPS(REJECT) loc net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 - - - - - - - - localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri Kurniadi ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2009 07:18 PM, kurniadi wrote:> 2009/12/17, Tom Eastep <teastep@shorewall.net>: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/16/2009 06:18 PM, kurniadi wrote: >>> Hi all, >>> >>> >>> I Try use shorewall rules with time element but its never works, the >>> rules look like this >>> >>> HTTPS(REJECT) loc >>> net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 >>> localtz×tart=20:00×top=20:10&weekdays=Mon,Tue,Wed,Thu,Fri >>> >>> This rules for block https access to facebook site at working hours & >>> day My system is Debian lenny, shorewall 4.4.4.2 kernel >>> 2.6.30-bpo.2-amd64, the kernel module for time element already >>> support. >>> >> >> Shorewall is not the proper tool for trying to limit traffic to a >> particular domain. You will never be able to keep up with the list of IP >> addresses used by facebook. See Shorewall FAQ 39 for more information. >> > > Ok maybe this not perpect solution for block https, I will try in > squid instead shoerwall. > but why time element rule did not work ?,You have presented no evidence that it doesn''t work. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksppTMACgkQO/MAbZfjDLLKKgCgu5HiWsEf9/AVEr4ncwbu1bU4 aacAnRQTJYaIswqKEMgOQMBhJDl5N9As =luZH -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev