On 07/19/2012 07:12 AM, I.S.C. William wrote:> This code is in Iptables rules ... Open port 443 to sites google, gmail and
> hotmail, How I can interpretet in shorewall ?
>
> $IPTABLES -A FORWARD -p tcp -d secure.shared.live.com --dport 443 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -d login.live.com --dport 443 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -d 65.54.165.139 --dport 443 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -d 65.55.128.204 --dport 443 -j ACCEPT
>
> #$IPTABLES -A FORWARD -p tcp -d www.gmail.com --dport 443 -j ACCEPT
> #$IPTABLES -A FORWARD -p tcp -d www.google.com --dport 443 -j ACCEPT
>
> What I intend to do with this is to close all the port and https port 443
> open only to those sites (hotmail,gmail,google) so they can be used.
This isn''t a very good idea. Google uses a very short TTL on its
www.google.com A records (136 seconds). So they are subject to change
every 136 seconds. As we have pointed out to you before, DNS names are
translated into a list of IP addresses when the firewall is started or
restarted. So any changes in the set of addresses associated with the
DNS name are not going to be reflected in the active ruleset.
If you still think you want to try this, see
http://www.shorewall.net/configuration_file_basics#dnsnames.
Regards,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/