Variable PARAMS file does not work. Within the file "params" *MAC_LAN*: ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE I have the variable: Within the file "rules" this rule. REJECT loc:*!MAC_LAN* net tcp 443 But it does not work, the parcer can not read the contents of the variable. There''s something enabled for this to work? I have Shorewall version 4.4.26.1 version -- *Atte.* *ISC. William López Jiménez* *Ingeniero en Sistemas* *Computacionales* *User Linux: 379636* *Twitter: @koalasoft* *MSN: wljkoala23[a]hotmail.com* *LinkedIn: **http://linkd.in/Q2U6q7* *Web: www.koalasoftmx.tk* P Salva un Árbol... Por favor, no imprimas este em@il a menos que sea necesario. *AVISO DE CONFIDENCIALIDAD* *Este correo electrónico es confidencial y para ser leído y utilizado exclusivamente por la(s) persona(s) a quien(es) se dirige. Si el lector de esta transmisión electrónica no es el destinatario, se le notifica que cualquier distribución o copia de la misma está estrictamente prohibida. Si ha recibido este correo por error le suplicamos notificar inmediatamente a la persona que lo envió y borrarlo definitivamente de su sistema.* * * *CONFIDENTIALITY NOTICE* *This electronic mail transmission is confidential, may be privileged and should be read or retained only by the intended recipient. If the reader of this transmission is not the intended recipient, you are hereby notified that any distribution or copying hereof is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and delete it from your system.* ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 10:58 AM, I.S.C. William wrote:> Variable PARAMS file does not work. > > Within the file "params" > > *MAC_LAN*: ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > I have the variable: > > Within the file "rules" this rule. > > REJECT loc:*!MAC_LAN* net tcp 443 > > But it does not work, the parcer can not read the contents of the > variable. There''s something enabled for this to work? > > I have Shorewall version 4.4.26.1 versionparams is a shell source file. So it must contain valid shell syntax: MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/04/2012 10:58 AM, I.S.C. William wrote: > > Variable PARAMS file does not work. > > > > Within the file "params" > > > > *MAC_LAN*: ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > > > I have the variable: > > > > Within the file "rules" this rule. > > > > REJECT loc:*!MAC_LAN* net tcp 443 > > > > But it does not work, the parcer can not read the contents of the > > variable. There''s something enabled for this to work? > > > > I have Shorewall version 4.4.26.1 version > > params is a shell source file. So it must contain valid shell syntax: > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > -Tom >I corrected the syntax as I said, but I still can not use port 443 to the MAC exept this in PARAMS if I can leave. These are my policies: loc all REJECT info net all DROP info fw all ACCEPT This is my params variable: MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" and my rule this out: REJECT loc:!MAC_LAN net tcp 443 What would be the error? ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 11:26 AM, I.S.C. William wrote:> > > 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > On 10/04/2012 10:58 AM, I.S.C. William wrote: > > Variable PARAMS file does not work. > > > > Within the file "params" > > > > *MAC_LAN*: ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > > > I have the variable: > > > > Within the file "rules" this rule. > > > > REJECT loc:*!MAC_LAN* net tcp 443 > > > > But it does not work, the parcer can not read the contents of the > > variable. There''s something enabled for this to work? > > > > I have Shorewall version 4.4.26.1 version > > params is a shell source file. So it must contain valid shell syntax: > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > -Tom > > > > I corrected the syntax as I said, but I still can not use port 443 to > the MAC exept this in PARAMS if I can leave. > > These are my policies: > > loc all REJECT info > net all DROP info > fw all ACCEPT > > This is my params variable: > > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > and my rule this out: > > REJECT loc:!MAC_LAN net tcp 443 > > What would be the error?I think you want: ACCEPT loc:$MAC_LAN net tcp 443 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/04/2012 11:26 AM, I.S.C. William wrote: > > > > > > 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > > > > On 10/04/2012 10:58 AM, I.S.C. William wrote: > > > Variable PARAMS file does not work. > > > > > > Within the file "params" > > > > > > *MAC_LAN*: > ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > > > > > I have the variable: > > > > > > Within the file "rules" this rule. > > > > > > REJECT loc:*!MAC_LAN* net tcp 443 > > > > > > But it does not work, the parcer can not read the contents of the > > > variable. There''s something enabled for this to work? > > > > > > I have Shorewall version 4.4.26.1 version > > > > params is a shell source file. So it must contain valid shell syntax: > > > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > -Tom > > > > > > > > I corrected the syntax as I said, but I still can not use port 443 to > > the MAC exept this in PARAMS if I can leave. > > > > These are my policies: > > > > loc all REJECT info > > net all DROP info > > fw all ACCEPT > > > > This is my params variable: > > > > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > and my rule this out: > > > > REJECT loc:!MAC_LAN net tcp 443 > > > > What would be the error? > > I think you want: > > ACCEPT loc:$MAC_LAN net tcp 443 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Don''t let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >ok, this is my real problem, I need to block certain LAN equipment to be secure Internet sites using port 443. For example: Open port 443 to all but those who go to the internet sites segment () can not access, only those in the list in the variable PARAMS MAC_LIST. Params file: MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" NET_LIST:"69.171.224.0/19,95.100.128.0/20" rules file: ACCEPT loc net tcp 443 REJECT loc:!$MAC_LIST net:$NET_LIST ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 11:48 AM, I.S.C. William wrote:> > > 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > On 10/04/2012 11:26 AM, I.S.C. William wrote: > > > > > > 2012/10/4 Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net > <mailto:teastep@shorewall.net>>> > > > > On 10/04/2012 10:58 AM, I.S.C. William wrote: > > > Variable PARAMS file does not work. > > > > > > Within the file "params" > > > > > > *MAC_LAN*: > ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > > > > > I have the variable: > > > > > > Within the file "rules" this rule. > > > > > > REJECT loc:*!MAC_LAN* net tcp 443 > > > > > > But it does not work, the parcer can not read the contents > of the > > > variable. There''s something enabled for this to work? > > > > > > I have Shorewall version 4.4.26.1 version > > > > params is a shell source file. So it must contain valid shell > syntax: > > > > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > -Tom > > > > > > > > I corrected the syntax as I said, but I still can not use port 443 to > > the MAC exept this in PARAMS if I can leave. > > > > These are my policies: > > > > loc all REJECT info > > net all DROP info > > fw all ACCEPT > > > > This is my params variable: > > > > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > and my rule this out: > > > > REJECT loc:!MAC_LAN net tcp 443 > > > > What would be the error? > > I think you want: > > ACCEPT loc:$MAC_LAN net tcp 443 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Don''t let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > <mailto:Shorewall-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ok, this is my real problem, I need to block certain LAN equipment to be > secure Internet sites using port 443. For example: > > Open port 443 to all but those who go to the internet sites segment () > can not access, only those in the list in the variable PARAMS MAC_LIST. > > Params file: > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > NET_LIST:"69.171.224.0/19,95.100.128.0/20 > <http://69.171.224.0/19,95.100.128.0/20>" > > rules file: > > ACCEPT loc net tcp 443 > > REJECT loc:!$MAC_LIST net:$NET_LISTYou have the rules in the wrong order! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/04/2012 11:48 AM, I.S.C. William wrote: > > > > > > 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > > > > On 10/04/2012 11:26 AM, I.S.C. William wrote: > > > > > > > > > 2012/10/4 Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net > > <mailto:teastep@shorewall.net>>> > > > > > > On 10/04/2012 10:58 AM, I.S.C. William wrote: > > > > Variable PARAMS file does not work. > > > > > > > > Within the file "params" > > > > > > > > *MAC_LAN*: > > ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > > > > > > > > I have the variable: > > > > > > > > Within the file "rules" this rule. > > > > > > > > REJECT loc:*!MAC_LAN* net tcp 443 > > > > > > > > But it does not work, the parcer can not read the contents > > of the > > > > variable. There''s something enabled for this to work? > > > > > > > > I have Shorewall version 4.4.26.1 version > > > > > > params is a shell source file. So it must contain valid shell > > syntax: > > > > > > > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > > > -Tom > > > > > > > > > > > > I corrected the syntax as I said, but I still can not use port > 443 to > > > the MAC exept this in PARAMS if I can leave. > > > > > > These are my policies: > > > > > > loc all REJECT info > > > net all DROP info > > > fw all ACCEPT > > > > > > This is my params variable: > > > > > > MAC_LAN:" > ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > > > > > and my rule this out: > > > > > > REJECT loc:!MAC_LAN net tcp 443 > > > > > > What would be the error? > > > > I think you want: > > > > ACCEPT loc:$MAC_LAN net tcp 443 > > > > -Tom > > -- > > Tom Eastep \ When I die, I want to go like my Grandfather who > > Shoreline, \ died peacefully in his sleep. Not screaming like > > Washington, USA \ all of the passengers in his car > > http://shorewall.net\________________________________________________ > > > > > ------------------------------------------------------------------------------ > > Don''t let slow site performance ruin your business. Deploy New Relic > APM > > Deploy New Relic app performance management and know exactly > > what is happening inside your Ruby, Python, PHP, Java, and .NET app > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > <mailto:Shorewall-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > ok, this is my real problem, I need to block certain LAN equipment to be > > secure Internet sites using port 443. For example: > > > > Open port 443 to all but those who go to the internet sites segment () > > can not access, only those in the list in the variable PARAMS MAC_LIST. > > > > Params file: > > > > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > > NET_LIST:"69.171.224.0/19,95.100.128.0/20 > > <http://69.171.224.0/19,95.100.128.0/20>" > > > > rules file: > > > > ACCEPT loc net tcp 443 > > > > REJECT loc:!$MAC_LIST net:$NET_LIST > > You have the rules in the wrong order! > > -Tom >I have the order wrong? Please show me how they should be the order of the rules? If I deny first and then how would I open pro or favor. Thank you! ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 12:29 PM, Tom Eastep wrote:> On 10/04/2012 11:48 AM, I.S.C. William wrote: >> >> >> 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> >> >> On 10/04/2012 11:26 AM, I.S.C. William wrote: >> > >> > >> > 2012/10/4 Tom Eastep <teastep@shorewall.net >> <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net >> <mailto:teastep@shorewall.net>>> >> > >> > On 10/04/2012 10:58 AM, I.S.C. William wrote: >> > > Variable PARAMS file does not work. >> > > >> > > Within the file "params" >> > > >> > > *MAC_LAN*: >> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE >> > > >> > > I have the variable: >> > > >> > > Within the file "rules" this rule. >> > > >> > > REJECT loc:*!MAC_LAN* net tcp 443 >> > > >> > > But it does not work, the parcer can not read the contents >> of the >> > > variable. There''s something enabled for this to work? >> > > >> > > I have Shorewall version 4.4.26.1 version >> > >> > params is a shell source file. So it must contain valid shell >> syntax: >> > >> > >> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> > >> > -Tom >> > >> > >> > >> > I corrected the syntax as I said, but I still can not use port 443 to >> > the MAC exept this in PARAMS if I can leave. >> > >> > These are my policies: >> > >> > loc all REJECT info >> > net all DROP info >> > fw all ACCEPT >> > >> > This is my params variable: >> > >> > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> > >> > and my rule this out: >> > >> > REJECT loc:!MAC_LAN net tcp 443 >> > >> > What would be the error? >> >> I think you want: >> >> ACCEPT loc:$MAC_LAN net tcp 443 >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> ------------------------------------------------------------------------------ >> Don''t let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> <mailto:Shorewall-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> ok, this is my real problem, I need to block certain LAN equipment to be >> secure Internet sites using port 443. For example: >> >> Open port 443 to all but those who go to the internet sites segment () >> can not access, only those in the list in the variable PARAMS MAC_LIST. >> >> Params file: >> >> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> NET_LIST:"69.171.224.0/19,95.100.128.0/20 >> <http://69.171.224.0/19,95.100.128.0/20>" >> >> rules file: >> >> ACCEPT loc net tcp 443 >> >> REJECT loc:!$MAC_LIST net:$NET_LIST > > You have the rules in the wrong order!You need *ONE RULE* ACCEPT loc:$MAC_LIST net:$NET_LIST You have a REJECT loc->net policy so anything you don''t explicitly ACCEPT will be REJECTED. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 02:01 PM, Tom Eastep wrote:> On 10/04/2012 12:29 PM, Tom Eastep wrote: >> On 10/04/2012 11:48 AM, I.S.C. William wrote: >>> >>> >>> 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> >>> >>> On 10/04/2012 11:26 AM, I.S.C. William wrote: >>> > >>> > >>> > 2012/10/4 Tom Eastep <teastep@shorewall.net >>> <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net >>> <mailto:teastep@shorewall.net>>> >>> > >>> > On 10/04/2012 10:58 AM, I.S.C. William wrote: >>> > > Variable PARAMS file does not work. >>> > > >>> > > Within the file "params" >>> > > >>> > > *MAC_LAN*: >>> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE >>> > > >>> > > I have the variable: >>> > > >>> > > Within the file "rules" this rule. >>> > > >>> > > REJECT loc:*!MAC_LAN* net tcp 443 >>> > > >>> > > But it does not work, the parcer can not read the contents >>> of the >>> > > variable. There''s something enabled for this to work? >>> > > >>> > > I have Shorewall version 4.4.26.1 version >>> > >>> > params is a shell source file. So it must contain valid shell >>> syntax: >>> > >>> > >>> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >>> > >>> > -Tom >>> > >>> > >>> > >>> > I corrected the syntax as I said, but I still can not use port 443 to >>> > the MAC exept this in PARAMS if I can leave. >>> > >>> > These are my policies: >>> > >>> > loc all REJECT info >>> > net all DROP info >>> > fw all ACCEPT >>> > >>> > This is my params variable: >>> > >>> > MAC_LAN:" ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >>> > >>> > and my rule this out: >>> > >>> > REJECT loc:!MAC_LAN net tcp 443 >>> > >>> > What would be the error? >>> >>> I think you want: >>> >>> ACCEPT loc:$MAC_LAN net tcp 443 >>> >>> -Tom >>> -- >>> Tom Eastep \ When I die, I want to go like my Grandfather who >>> Shoreline, \ died peacefully in his sleep. Not screaming like >>> Washington, USA \ all of the passengers in his car >>> http://shorewall.net \________________________________________________ >>> >>> ------------------------------------------------------------------------------ >>> Don''t let slow site performance ruin your business. Deploy New Relic APM >>> Deploy New Relic app performance management and know exactly >>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>> http://p.sf.net/sfu/newrelic-dev2dev >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> <mailto:Shorewall-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> ok, this is my real problem, I need to block certain LAN equipment to be >>> secure Internet sites using port 443. For example: >>> >>> Open port 443 to all but those who go to the internet sites segment () >>> can not access, only those in the list in the variable PARAMS MAC_LIST. >>> >>> Params file: >>> >>> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >>> NET_LIST:"69.171.224.0/19,95.100.128.0/20 >>> <http://69.171.224.0/19,95.100.128.0/20>" >>> >>> rules file: >>> >>> ACCEPT loc net tcp 443 >>> >>> REJECT loc:!$MAC_LIST net:$NET_LIST >> >> You have the rules in the wrong order! > > You need *ONE RULE* > > ACCEPT loc:$MAC_LIST net:$NET_LIST > > You have a REJECT loc->net policy so anything you don''t explicitly > ACCEPT will be REJECTED.And if you only want that rule to apply to port 443, make it: ACCEPT loc:$MAC_LIST net:$NET_LIST tcp 443 The way that you had your rules, *ALL* traffic to port 443 was ACCEPTed by the ACCEPT rule so no traffic to port 443 reached the REJECT rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/04/2012 02:01 PM, Tom Eastep wrote: > > On 10/04/2012 12:29 PM, Tom Eastep wrote: > >> On 10/04/2012 11:48 AM, I.S.C. William wrote: > >>> > >>> > >>> 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > >>> > >>> On 10/04/2012 11:26 AM, I.S.C. William wrote: > >>> > > >>> > > >>> > 2012/10/4 Tom Eastep <teastep@shorewall.net > >>> <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net > >>> <mailto:teastep@shorewall.net>>> > >>> > > >>> > On 10/04/2012 10:58 AM, I.S.C. William wrote: > >>> > > Variable PARAMS file does not work. > >>> > > > >>> > > Within the file "params" > >>> > > > >>> > > *MAC_LAN*: > >>> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE > >>> > > > >>> > > I have the variable: > >>> > > > >>> > > Within the file "rules" this rule. > >>> > > > >>> > > REJECT loc:*!MAC_LAN* net tcp 443 > >>> > > > >>> > > But it does not work, the parcer can not read the > contents > >>> of the > >>> > > variable. There''s something enabled for this to work? > >>> > > > >>> > > I have Shorewall version 4.4.26.1 version > >>> > > >>> > params is a shell source file. So it must contain valid > shell > >>> syntax: > >>> > > >>> > > >>> > MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > >>> > > >>> > -Tom > >>> > > >>> > > >>> > > >>> > I corrected the syntax as I said, but I still can not use > port 443 to > >>> > the MAC exept this in PARAMS if I can leave. > >>> > > >>> > These are my policies: > >>> > > >>> > loc all REJECT info > >>> > net all DROP info > >>> > fw all ACCEPT > >>> > > >>> > This is my params variable: > >>> > > >>> > MAC_LAN:" > ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > >>> > > >>> > and my rule this out: > >>> > > >>> > REJECT loc:!MAC_LAN net tcp 443 > >>> > > >>> > What would be the error? > >>> > >>> I think you want: > >>> > >>> ACCEPT loc:$MAC_LAN net tcp 443 > >>> > >>> -Tom > >>> -- > >>> Tom Eastep \ When I die, I want to go like my Grandfather > who > >>> Shoreline, \ died peacefully in his sleep. Not screaming > like > >>> Washington, USA \ all of the passengers in his car > >>> http://shorewall.net\________________________________________________ > >>> > >>> > ------------------------------------------------------------------------------ > >>> Don''t let slow site performance ruin your business. Deploy New > Relic APM > >>> Deploy New Relic app performance management and know exactly > >>> what is happening inside your Ruby, Python, PHP, Java, and .NET > app > >>> Try New Relic at no cost today and get our sweet Data Nerd shirt > too! > >>> http://p.sf.net/sfu/newrelic-dev2dev > >>> _______________________________________________ > >>> Shorewall-users mailing list > >>> Shorewall-users@lists.sourceforge.net > >>> <mailto:Shorewall-users@lists.sourceforge.net> > >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users > >>> > >>> > >>> ok, this is my real problem, I need to block certain LAN equipment to > be > >>> secure Internet sites using port 443. For example: > >>> > >>> Open port 443 to all but those who go to the internet sites segment () > >>> can not access, only those in the list in the variable PARAMS MAC_LIST. > >>> > >>> Params file: > >>> > >>> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" > >>> NET_LIST:"69.171.224.0/19,95.100.128.0/20 > >>> <http://69.171.224.0/19,95.100.128.0/20>" > >>> > >>> rules file: > >>> > >>> ACCEPT loc net tcp 443 > >>> > >>> REJECT loc:!$MAC_LIST net:$NET_LIST > >> > >> You have the rules in the wrong order! > > > > You need *ONE RULE* > > > > ACCEPT loc:$MAC_LIST net:$NET_LIST > > > > You have a REJECT loc->net policy so anything you don''t explicitly > > ACCEPT will be REJECTED. > > And if you only want that rule to apply to port 443, make it: > > ACCEPT loc:$MAC_LIST net:$NET_LIST tcp 443 > > The way that you had your rules, *ALL* traffic to port 443 was ACCEPTed > by the ACCEPT rule so no traffic to port 443 reached the REJECT rule. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Don''t let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Yes but .. what''s this attempt, because I worked in another shorewall and in this no, what I want is ... Allow entire LAN to browse secure sites (https), but .. Reject the output of the entire network LAN segments to public IP (NET_LIST) on the internet and only have access to these segments MAC addresses are listed, MAC_LIST. I hope I explained better .. thanks .. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 I.S.C. William <william.koalasoft@gmail.com>> > > 2012/10/4 Tom Eastep <teastep@shorewall.net> > >> On 10/04/2012 02:01 PM, Tom Eastep wrote: >> > On 10/04/2012 12:29 PM, Tom Eastep wrote: >> >> On 10/04/2012 11:48 AM, I.S.C. William wrote: >> >>> >> >>> >> >>> 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto: >> teastep@shorewall.net>> >> >>> >> >>> On 10/04/2012 11:26 AM, I.S.C. William wrote: >> >>> > >> >>> > >> >>> > 2012/10/4 Tom Eastep <teastep@shorewall.net >> >>> <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net >> >>> <mailto:teastep@shorewall.net>>> >> >>> > >> >>> > On 10/04/2012 10:58 AM, I.S.C. William wrote: >> >>> > > Variable PARAMS file does not work. >> >>> > > >> >>> > > Within the file "params" >> >>> > > >> >>> > > *MAC_LAN*: >> >>> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE >> >>> > > >> >>> > > I have the variable: >> >>> > > >> >>> > > Within the file "rules" this rule. >> >>> > > >> >>> > > REJECT loc:*!MAC_LAN* net tcp 443 >> >>> > > >> >>> > > But it does not work, the parcer can not read the >> contents >> >>> of the >> >>> > > variable. There''s something enabled for this to work? >> >>> > > >> >>> > > I have Shorewall version 4.4.26.1 version >> >>> > >> >>> > params is a shell source file. So it must contain valid >> shell >> >>> syntax: >> >>> > >> >>> > >> >>> >> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> >>> > >> >>> > -Tom >> >>> > >> >>> > >> >>> > >> >>> > I corrected the syntax as I said, but I still can not use >> port 443 to >> >>> > the MAC exept this in PARAMS if I can leave. >> >>> > >> >>> > These are my policies: >> >>> > >> >>> > loc all REJECT info >> >>> > net all DROP info >> >>> > fw all ACCEPT >> >>> > >> >>> > This is my params variable: >> >>> > >> >>> > MAC_LAN:" >> ~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> >>> > >> >>> > and my rule this out: >> >>> > >> >>> > REJECT loc:!MAC_LAN net tcp 443 >> >>> > >> >>> > What would be the error? >> >>> >> >>> I think you want: >> >>> >> >>> ACCEPT loc:$MAC_LAN net tcp 443 >> >>> >> >>> -Tom >> >>> -- >> >>> Tom Eastep \ When I die, I want to go like my >> Grandfather who >> >>> Shoreline, \ died peacefully in his sleep. Not >> screaming like >> >>> Washington, USA \ all of the passengers in his car >> >>> http://shorewall.net\________________________________________________ >> >>> >> >>> >> ------------------------------------------------------------------------------ >> >>> Don''t let slow site performance ruin your business. Deploy New >> Relic APM >> >>> Deploy New Relic app performance management and know exactly >> >>> what is happening inside your Ruby, Python, PHP, Java, and .NET >> app >> >>> Try New Relic at no cost today and get our sweet Data Nerd >> shirt too! >> >>> http://p.sf.net/sfu/newrelic-dev2dev >> >>> _______________________________________________ >> >>> Shorewall-users mailing list >> >>> Shorewall-users@lists.sourceforge.net >> >>> <mailto:Shorewall-users@lists.sourceforge.net> >> >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >>> >> >>> >> >>> ok, this is my real problem, I need to block certain LAN equipment to >> be >> >>> secure Internet sites using port 443. For example: >> >>> >> >>> Open port 443 to all but those who go to the internet sites segment () >> >>> can not access, only those in the list in the variable PARAMS >> MAC_LIST. >> >>> >> >>> Params file: >> >>> >> >>> MAC_LAN="~00-1B-77-91-D5-5E,~00-13-21-FA-56-1B,~00-21-70-35-46-CE" >> >>> NET_LIST:"69.171.224.0/19,95.100.128.0/20 >> >>> <http://69.171.224.0/19,95.100.128.0/20>" >> >>> >> >>> rules file: >> >>> >> >>> ACCEPT loc net tcp 443 >> >>> >> >>> REJECT loc:!$MAC_LIST net:$NET_LIST >> >> >> >> You have the rules in the wrong order! >> > >> > You need *ONE RULE* >> > >> > ACCEPT loc:$MAC_LIST net:$NET_LIST >> > >> > You have a REJECT loc->net policy so anything you don''t explicitly >> > ACCEPT will be REJECTED. >> >> And if you only want that rule to apply to port 443, make it: >> >> ACCEPT loc:$MAC_LIST net:$NET_LIST tcp 443 >> >> The way that you had your rules, *ALL* traffic to port 443 was ACCEPTed >> by the ACCEPT rule so no traffic to port 443 reached the REJECT rule. >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> >> ------------------------------------------------------------------------------ >> Don''t let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > Yes but .. what''s this attempt, because I worked in another shorewall and > in this no, what I want is ... > > Allow entire LAN to browse secure sites (https), but .. Reject the output > of the entire network LAN segments to public IP (NET_LIST) on the internet > and only have access to these segments MAC addresses are listed, MAC_LIST. > > I hope I explained better .. thanks .. >My problem seems to be that the variable MAC_LIST not read the file "rules" and I''m using the syntax I said. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 02:49 PM, I.S.C. William wrote:> > > Yes but .. what''s this attempt, because I worked in another shorewall > and in this no, what I want is ... > > Allow entire LAN to browse secure sites (https), but .. Reject the > output of the entire network LAN segments to public IP (NET_LIST) on the > internet and only have access to these segments MAC addresses are > listed, MAC_LIST. > > I hope I explained better .. thanks ..REJECT loc:!$MAC_List net:$NET_LIST ACCEPT loc net tcp 443 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/04/2012 02:49 PM, I.S.C. William wrote: > > > > > > > Yes but .. what''s this attempt, because I worked in another shorewall > > and in this no, what I want is ... > > > > Allow entire LAN to browse secure sites (https), but .. Reject the > > output of the entire network LAN segments to public IP (NET_LIST) on the > > internet and only have access to these segments MAC addresses are > > listed, MAC_LIST. > > > > I hope I explained better .. thanks .. > > REJECT loc:!$MAC_List net:$NET_LIST > ACCEPT loc net tcp 443 >So is confirmed, use this rule in the file "rules" REJECT loc:~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA net: 199.59.148.0/22,199.59.149.0/22 tcp 443 if it worked, if I use the variable MAC_LIST in file "PARAMS", the rule does not work. Enabled miss something to use variables in PARAMS readable file "rules"? ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 02:52 PM, I.S.C. William wrote:> > > > My problem seems to be that the variable MAC_LIST not read the file > "rules" and I''m using the syntax I said. >If that were happening, your firewall wouldn''t start because this rule would generate a compiler error: REJECT loc:!$MAC_LIST net:$NET_LIST -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/04/2012 03:20 PM, I.S.C. William wrote:> > > 2012/10/4 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > On 10/04/2012 02:49 PM, I.S.C. William wrote: > > > > > > > Yes but .. what''s this attempt, because I worked in another shorewall > > and in this no, what I want is ... > > > > Allow entire LAN to browse secure sites (https), but .. Reject the > > output of the entire network LAN segments to public IP (NET_LIST) > on the > > internet and only have access to these segments MAC addresses are > > listed, MAC_LIST. > > > > I hope I explained better .. thanks .. > > REJECT loc:!$MAC_List net:$NET_LIST > ACCEPT loc net tcp 443 > > > So is confirmed, use this rule in the file "rules" > > REJECTloc:~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AAnet:199.59.148.0/22,199.59.149.0/22 > <http://199.59.148.0/22,199.59.149.0/22>tcp443 > > if it worked, if I use the variable MAC_LIST in file "PARAMS", the rule > does not work. > > Enabled miss something to use variables in PARAMS readable file "rules"? >Please send me (privately) a tarball of your /etc/shorewall directory. Before you create the tarball, please: shorewall show -f capabilities > /etc/shorewall/caps Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/4/12 3:25 PM, "Tom Eastep" <teastep@shorewall.net> wrote:>Please send me (privately) a tarball of your /etc/shorewall directory. >Before you create the tarball, please: > > shorewall show -f capabilities > /etc/shorewall/caps > >Thanks,I received the tarball and found that the rules file contains this: HTTPS/REJECT loc:!~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA net:199.59.148.0/22 ,199.59.149.0/22 I installed 4.4.26.1 and then compiled the configuration as firewall1. I then added this to params: MAC_LIST="~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA" And changed the rule to this: HTTPS/REJECT loc:!$MAC_LIST net:199.59.148.0/22,199.59.149.0/22 I then compiled the configuration as firewall2 and ''diffed'' the two generated scripts: diff -au firewall1 firewall2 --- firewall1 2012-10-04 16:28:36.000000000 -0700 +++ firewall2 2012-10-04 16:42:50.000000000 -0700 @@ -1,6 +1,6 @@ #!/bin/sh # -# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct 4 16:28:36 2012 +# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct 4 16:42:50 2012 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # @@ -1925,6 +1925,7 @@ MAC_LOC_MSN=~00-1B-77-91-D5-5E,~00-0E-E8-D6-31-03 IP_DROPBOX=199.47.216.0/22,108.160.160.0/20,205.189.0.0/24 MAC_DBOX=~08-00-27-6D-94-E3,~00-0E-E8-D6-31-03,~00-1F-3A-30-BC-41 + MAC_LIST=~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA NET_FACE_IP=69.171.224.13,69.171.224.11,66.220.149.11,69.171.229.11,66.220. 158.11,69.171.242.11,95.100.130.110,66.220.158.74 MAC_LOC_TWIT=~00-11-00-00-00-00,~00-0E-E8-D6-31-03 IP_PORN=173.192.57.241,91.192.110.109,93.93.64.65,173.208.175.42,108.167.18 3.224 @@ -1962,7 +1963,7 @@ cat >&3 << __EOF__ # -# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:28:36 2012 +# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:42:50 2012 # *raw :PREROUTING ACCEPT [0:0] @@ -2780,7 +2781,7 @@ $command <<__EOF__ # -# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:28:36 2012 +# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:42:50 2012 # *raw :PREROUTING ACCEPT [0:0] Other than the timestamps and the addition of the MAC_LIST define in the export list, the two firewall scripts are identical. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/4 Tom Eastep <teastep@shorewall.net>> On 10/4/12 3:25 PM, "Tom Eastep" <teastep@shorewall.net> wrote: > >Please send me (privately) a tarball of your /etc/shorewall directory. > >Before you create the tarball, please: > > > > shorewall show -f capabilities > /etc/shorewall/caps > > > >Thanks, > > I received the tarball and found that the rules file contains this: > > > HTTPS/REJECT loc:!~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA net: > 199.59.148.0/22 > ,199.59.149.0/22 > > > I installed 4.4.26.1 and then compiled the configuration as firewall1. > > I then added this to params: > > MAC_LIST="~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA" > > And changed the rule to this: > > HTTPS/REJECT loc:!$MAC_LIST net: > 199.59.148.0/22,199.59.149.0/22 > > > I then compiled the configuration as firewall2 and ''diffed'' the two > generated scripts: > > diff -au firewall1 firewall2 > --- firewall1 2012-10-04 16:28:36.000000000 -0700 > +++ firewall2 2012-10-04 16:42:50.000000000 -0700 > @@ -1,6 +1,6 @@ > #!/bin/sh > # > -# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct 4 > 16:28:36 2012 > +# Compiled firewall script generated by Shorewall 4.4.26.1 - Thu Oct 4 > 16:42:50 2012 > # > # This program is under GPL > [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] > # > @@ -1925,6 +1925,7 @@ > MAC_LOC_MSN=~00-1B-77-91-D5-5E,~00-0E-E8-D6-31-03 > IP_DROPBOX=199.47.216.0/22,108.160.160.0/20,205.189.0.0/24 > MAC_DBOX=~08-00-27-6D-94-E3,~00-0E-E8-D6-31-03,~00-1F-3A-30-BC-41 > + MAC_LIST=~00-0E-E8-D6-31-03,~00-0E-E8-D6-31-AA > > NET_FACE_IP=69.171.224.13,69.171.224.11,66.220.149.11,69.171.229.11,66.220. > 158.11,69.171.242.11,95.100.130.110,66.220.158.74 > MAC_LOC_TWIT=~00-11-00-00-00-00,~00-0E-E8-D6-31-03 > > IP_PORN=173.192.57.241,91.192.110.109,93.93.64.65,173.208.175.42,108.167.18 > 3.224 > @@ -1962,7 +1963,7 @@ > > cat >&3 << __EOF__ > # > -# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:28:36 2012 > +# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:42:50 2012 > # > *raw > :PREROUTING ACCEPT [0:0] > @@ -2780,7 +2781,7 @@ > > $command <<__EOF__ > # > -# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:28:36 2012 > +# Generated by Shorewall 4.4.26.1 - Thu Oct 4 16:42:50 2012 > # > *raw > :PREROUTING ACCEPT [0:0] > > Other than the timestamps and the addition of the MAC_LIST define in the > export list, the two firewall scripts are identical. > > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > > >Ok, so what would be the problem that PARAMS variables not read them, because if I put the MAC directly in the file "rules" if it works. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/5/12 6:33 AM, "I.S.C. William" <william.koalasoft@gmail.com> wrote:> > Ok, so what would be the problem that PARAMS variables not read them, because > if I put the MAC directly in the file "rules" if it works.I was really hoping you would send me the version that didn''t work. Which of the PARAMs in the file you sent me is the one you believe does not work? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
2012/10/5 Tom Eastep <teastep@shorewall.net>> On 10/5/12 6:33 AM, "I.S.C. William" <william.koalasoft@gmail.com> wrote: > > > Ok, so what would be the problem that PARAMS variables not read them, > because if I put the MAC directly in the file "rules" if it works. > > > >The version I sent you is what I am currently using and is the one I have that problem. Rules funionan me well, the only downside is that the variables are in the PARAMS file not read the file "RULES". What do you recommend? I do not wish to return to Iptables = ( ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/05/2012 07:49 AM, I.S.C. William wrote:> > > 2012/10/5 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > On 10/5/12 6:33 AM, "I.S.C. William" <william.koalasoft@gmail.com > <mailto:william.koalasoft@gmail.com>> wrote: > > > Ok, so what would be the problem that PARAMS variables not read > them, because if I put the MAC directly in the file "rules" if > it works. > > > > > The version I sent you is what I am currently using and is the one I > have that problem. Rules funionan me well, the only downside is that the > variables are in the PARAMS file not read the file "RULES". > > What do you recommend? I do not wish to return to Iptables = (Please: 1) Change your configuration to use the PARAM that doesn''t work. 2) ''shorewall compile firewall'' 3) Send me the ''firewall'' file Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/05/2012 07:49 AM, I.S.C. William wrote:> > > 2012/10/5 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > On 10/5/12 6:33 AM, "I.S.C. William" <william.koalasoft@gmail.com > <mailto:william.koalasoft@gmail.com>> wrote: > > > Ok, so what would be the problem that PARAMS variables not read > them, because if I put the MAC directly in the file "rules" if > it works. > > > > > The version I sent you is what I am currently using and is the one I > have that problem. Rules funionan me well, the only downside is that the > variables are in the PARAMS file not read the file "RULES". > > What do you recommend? I do not wish to return to Iptables = (BTW -- I just compiled your firewall on a Ubuntu Precise system and exactly the same script was generated as in the other two cases. That is why I need to see what is being generated on your computer. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev