Hi, in shorewall version 3.4.8 used this rule to block access to Facebook through port 443 (https): /shorewall/rules: REJECT loc net:69.171.224.12, 69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 tcp 443 What I did was block the public IP network segment to fitthrough https. Now I use this same rule in version 4.4 and I works already. Has anything changed in this period? or how could interpretthe new version now? I have shorewall 4.4.25.3 Greetings!! -- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
On 03/14/2012 12:19 PM, I.S.C. William wrote:> Hi, in shorewall version 3.4.8 used this rule to block access > to Facebook through port 443 (https): > > /shorewall/rules: > > REJECT loc > net:69.171.224.12,69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 > <http://69.171.224.0/19,69.63.176.0/20,66.220.144.0/20> tcp 443 > > What I did was block the public IP network segment to fitthrough https. > Now I use this same rule in version 4.4 and I works already. > Has anything changed in this period? or how could interpretthe new > version now? > > I have shorewall 4.4.25.3Did you put your REJECT rule *before* your ACCEPT rule? You must! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
I understand this, telling me that the rules, I must put first the rules REJECT (if there) and then ACCEPT rules? If this could give me the syntax of the rules as they should be, I mean: REJECT rules first, then the ACCEPT rules, the rulesafter DROP, REJECT .. etc. 2012/3/14 Tom Eastep <teastep@shorewall.net>> On 03/14/2012 12:19 PM, I.S.C. William wrote: > > Hi, in shorewall version 3.4.8 used this rule to block access > > to Facebook through port 443 (https): > > > > /shorewall/rules: > > > > REJECT loc > > net:69.171.224.12,69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 > > <http://69.171.224.0/19,69.63.176.0/20,66.220.144.0/20> tcp > 443 > > > > What I did was block the public IP network segment to fitthrough https. > > Now I use this same rule in version 4.4 and I works already. > > Has anything changed in this period? or how could interpretthe new > > version now? > > > > I have shorewall 4.4.25.3 > > Did you put your REJECT rule *before* your ACCEPT rule? You must! > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
A question about this, is possible with shorewall to block a domain, rather than by IP? and if so how would it be? 2012/3/14 I.S.C. William <william.koalasoft@gmail.com>> I understand this, telling me that the rules, I must put first the rules > REJECT (if there) and then ACCEPT rules? > > If this could give me the syntax of the rules as they should be, I mean: > REJECT rules first, then the ACCEPT rules, the rulesafter DROP, REJECT .. > etc. > > > 2012/3/14 Tom Eastep <teastep@shorewall.net> > >> On 03/14/2012 12:19 PM, I.S.C. William wrote: >> > Hi, in shorewall version 3.4.8 used this rule to block access >> > to Facebook through port 443 (https): >> > >> > /shorewall/rules: >> > >> > REJECT loc >> > net:69.171.224.12,69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 >> > <http://69.171.224.0/19,69.63.176.0/20,66.220.144.0/20> tcp >> 443 >> > >> > What I did was block the public IP network segment to fitthrough https. >> > Now I use this same rule in version 4.4 and I works already. >> > Has anything changed in this period? or how could interpretthe new >> > version now? >> > >> > I have shorewall 4.4.25.3 >> >> Did you put your REJECT rule *before* your ACCEPT rule? You must! >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> > > > -- > I.S.C. William López Jiménez > -- > User Linux # 379636 > MSN wljkoala23@hotmail.com > Jabber koalasoft@jabber.org > Web: www.koalasoftmx.tk > Twitter: @koalasoft > Facebook: william.koalasoft > >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
On 3/14/12 2:06 PM, "I.S.C. William" <william.koalasoft@gmail.com> wrote:> A question about this, is possible with shorewall to block a domain, rather > than by IP? and if so how would it be?That is a FAQ. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
I found this iptables rule that works very well, but ..
How I can interpret this in shorewall rules?
---------------------------------------------------------------
FACEBOOK_ALLOW="192.168.1.12 192.168.1.14 192.168.1.111"
iptables -N FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range
204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK
## FACEBOOK ALLOW
for face in $FACEBOOK_ALLOW; do
iptables -A FACEBOOK -s $face -j ACCEPT
done
iptables -A FACEBOOK -j REJECT
---------------------------------------------------------------
I see that IP range blocks
Greetings!!
2012/3/14 Tom Eastep <teastep@shorewall.net>>
> On 3/14/12 1:06 PM, "I.S.C. William"
<william.koalasoft@gmail.com> wrote:
>
> I understand this, telling me that the rules, I must put first the
rules REJECT (if there) and then ACCEPT rules?
>
> If this could give me the syntax of the rules as they should be, I
mean: REJECT rules first, then the ACCEPT rules, the rulesafter DROP,
REJECT .. etc.
>
>
> There is only one thing to remember: The first rule that matches a
connection determines the disposition of that connection. The exception is rules
whose TARGET is LOG; those log the packet only.
>
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
skydive twice.
>
--
I.S.C. William López Jiménez
--
User Linux # 379636
MSN wljkoala23@hotmail.com
Jabber koalasoft@jabber.org
Web: www.koalasoftmx.tk
Twitter: @koalasoft
Facebook: william.koalasoft
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
This rule seems to work for me, please try if you like them works already. SECTION BLACKLIST # HTTPS(REJECT) all net:69.171.224.0-69.171.255.255,66.220.144.0-66.220.159.255 tcp # SECTION NEW ..... .. 2012/3/15 I.S.C. William <william.koalasoft@gmail.com>:> I found this iptables rule that works very well, but .. > How I can interpret this in shorewall rules? > > --------------------------------------------------------------- > > FACEBOOK_ALLOW="192.168.1.12 192.168.1.14 192.168.1.111" > iptables -N FACEBOOK > > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK > iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range > 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK > > ## FACEBOOK ALLOW > for face in $FACEBOOK_ALLOW; do > iptables -A FACEBOOK -s $face -j ACCEPT > done > iptables -A FACEBOOK -j REJECT > > --------------------------------------------------------------- > I see that IP range blocks > > Greetings!! > > 2012/3/14 Tom Eastep <teastep@shorewall.net> >> >> On 3/14/12 1:06 PM, "I.S.C. William" <william.koalasoft@gmail.com> wrote: >> >> I understand this, telling me that the rules, I must put first the rules REJECT (if there) and then ACCEPT rules? >> >> If this could give me the syntax of the rules as they should be, I mean: REJECT rules first, then the ACCEPT rules, the rulesafter DROP, REJECT .. etc. >> >> >> There is only one thing to remember: The first rule that matches a connection determines the disposition of that connection. The exception is rules whose TARGET is LOG; those log the packet only. >> >> -Tom >> You do not need a parachute to skydive. You only need a parachute to skydive twice. >> > > > > -- > I.S.C. William López Jiménez > -- > User Linux # 379636 > MSN wljkoala23@hotmail.com > Jabber koalasoft@jabber.org > Web: www.koalasoftmx.tk > Twitter: @koalasoft > Facebook: william.koalasoft-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> This rule seems to work for me, please try if you like them works > already. > > SECTION BLACKLIST > # > HTTPS(REJECT) all > net:69.171.224.0-69.171.255.255,66.220.144.0-66.220.159.255 > tcp > # > SECTION NEW > .....Well, almost. I have done it like this: /etc/shorewall/params: FACEBOOKRANGE=69.171.224.0-69.171.255.255,66.220.144.0-66.220.159.255 FACEBOOK=all+:$FACEBOOKRANGE /etc/shorewall/rules: REJECT:info all+ $FACEBOOK all REJECT:info $FACEBOOK all+ all But for an experiment ("how to experience Life without Google") I would like to try this with, yes, Google. Where can I find Google''s IP ranges and where has OP found the Facebook range? Thanks, -Mark ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure