I''m using ipsets to block several IP address ranges, but I''d like even IP addresses within those ranges to be able to connect to me on the TOR port (9001). My /etc/shorewall/blacklist file looks like this: -------------------------------------------------------------- #ADDRESS/SUBNET PROTOCOL PORT OPTIONS # Whitelist port 9001 for TOR - tcp 9001 whitelist # IPset we use to block countries +cblock - - src -------------------------------------------------------------- Unfortunately, it appears that connections from addresses within the ''cblock'' ipset on port 9001 are being dropped. Connections to other ports from addresses in that ipset are, of course, correctly being blocked. Before I go into full-scale troubleshooting, is this the correct way to do what I want? Or have I missed something? Thanks -- Ron Murray (rjmx@rjmx.net) http://www.rjmx.net/~ron GPG Public Key Fingerprint: 0ED0 C1D1 615C FCCE 7424 9B27 31D8 AED5 AF6D 0D4A ------------------------------------------------------------------------------ Why Cloud-Based Security and Archiving Make Sense Osterman Research conducted this study that outlines how and why cloud computing security and archiving is rapidly being adopted across the IT space for its ease of implementation, lower cost, and increased reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
I think I''ve solved the problem. Despite what the shorewall-blacklist manual seems to say, the traffic direction does not default to ''src'': it needs to be put in explicitly. When I changed the entry in /etc/shorewall/blacklist to # Whitelist port 9001 for TOR - tcp 9001 src,whitelist the appropriate RETURN entry appeared in an iptables -L dump, and port 9001 isn''t being blocked any longer, even from source IP addresses that appear in the blocking ipset. Shorewall version installed is 4.4.22.3-1, on a Debian wheezy box (sorry, should have said that before). ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2