Hi everyone, just a little question: are there any plans on inventing support for ipset matching for the original destination while using DNAT/REDIRECT in the rules-file? We need this function very urgent, as we want to blacklist and redirect our users to a blocking page if they hit an entry on the blacklist. If there is no intention for current development, we would offer you to implement this, but as we are not experienced with programming of Shorewall-interna, some help with this would be nice. Thanks and greetz from Germany, Oliver Schmidt -- Netz ArGe Jülich e.V., Heinrich-Mußmann-Straße 18, 52428 Jülich Vorsitzende: Oliver Schmidt, Mirco Wollong Sitz des Vereins: Amtsgerichts Düren, VR 2184, Steuernummer: 213/5752/0747 Gemeinnütziger Verein nach §51 ff. AO http://www.netzags.de Email: Allgemein: info@netzags.de Usersupport: support@netzags.de Vorstand: vorstand@netzags.de ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/2/10 5:21 PM, Oliver Schmidt wrote:> Hi everyone, > > just a little question: are there any plans on inventing support for > ipset matching for the original destination while using DNAT/REDIRECT in > the rules-file? >No. Netfilter doesn''t support that so Shorewall can''t support it either. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi Tom,> No. Netfilter doesn''t support that so Shorewall can''t support it either. >As far as I can see, the only problem is the ctorigdst matching in the ACCEPT rule, which of course does not support ipsets. Putting the redirect rule in the nat-table with the set-matching active is working - perhaps it would be possible to mark those packets that gonna be redirected and then filter them by that mark in the appropriate INPUT/FORWARD chains? Thanks for the quick response, Oliver -- Netz ArGe Jülich e.V., Heinrich-Mußmann-Straße 18, 52428 Jülich Vorsitzende: Oliver Schmidt, Mirco Wollong Sitz des Vereins: Amtsgerichts Düren, VR 2184, Steuernummer: 213/5752/0747 Gemeinnütziger Verein nach §51 ff. AO http://www.netzags.de Email: Allgemein: info@netzags.de Usersupport: support@netzags.de Vorstand: vorstand@netzags.de ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/2/10 7:09 PM, Oliver Schmidt wrote:> Hi Tom, > >> No. Netfilter doesn''t support that so Shorewall can''t support it either. >> > As far as I can see, the only problem is the ctorigdst matching in the > ACCEPT rule, which of course does not support ipsets. > > Putting the redirect rule in the nat-table with the set-matching active > is working - perhaps it would be possible to mark those packets that > gonna be redirected and then filter them by that mark in the appropriate > INPUT/FORWARD chains?Sorry -- I''m not putting those kinds of hacks into Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On lør 03 jul 2010 02:21:32 CEST, Oliver Schmidt wrote> We need this function very urgent, as we want to blacklist and redirect > our users to a blocking page if they hit an entry on the blacklist.squid with squidguard, and configure auth in squid, then squidguard will follow if thats okay it just for ports handled with squid -- xpoint ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 7/2/10 8:39 PM, Tom Eastep wrote:> On 7/2/10 7:09 PM, Oliver Schmidt wrote: >> Hi Tom, >> >>> No. Netfilter doesn''t support that so Shorewall can''t support it either. >>> >> As far as I can see, the only problem is the ctorigdst matching in the >> ACCEPT rule, which of course does not support ipsets. >> >> Putting the redirect rule in the nat-table with the set-matching active >> is working - perhaps it would be possible to mark those packets that >> gonna be redirected and then filter them by that mark in the appropriate >> INPUT/FORWARD chains? > > Sorry -- I''m not putting those kinds of hacks into Shorewall.I should point out, however, that an ipsec *can currently* be used in the ORIGINAL DEST column of a DNAT- or REDIRECT- rule. Coupled with a suitable ACCEPT rule, that should accomplish what you want. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/3/10 12:29 PM, Tom Eastep wrote:> On 7/2/10 8:39 PM, Tom Eastep wrote: >> On 7/2/10 7:09 PM, Oliver Schmidt wrote: >>> Hi Tom, >>> >>>> No. Netfilter doesn''t support that so Shorewall can''t support it either. >>>> >>> As far as I can see, the only problem is the ctorigdst matching in the >>> ACCEPT rule, which of course does not support ipsets. >>> >>> Putting the redirect rule in the nat-table with the set-matching active >>> is working - perhaps it would be possible to mark those packets that >>> gonna be redirected and then filter them by that mark in the appropriate >>> INPUT/FORWARD chains? >> >> Sorry -- I''m not putting those kinds of hacks into Shorewall. > > I should point out, however, that an ipsec *can currently* be used inI meant to type ''ipset'', of course. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first