Shorewall users - Oct 2013 - Time limited rule for established DNAT connection

Hi,

  how to define time limited DNAT rule?

SECTION ESTABLISHED

# I don''t know what to put here

SECTION RELATED

# I don''t know what to put here

SECTION NEW

############################################################################################################################################################################
#ACTION     SOURCE    DEST                       PROTO   DEST    SOURCE
ORIGINAL           RATE     USER/   MARK    CONNLIMIT       TIME
#                                                        PORT    PORT(S)
DEST               LIMIT    GROUP

SSH(DNAT)   net       loc:$SERVER_INT_ADDR       -       -       -
$SERVER_PUB_ADDR   -        -       -       -
timestart=18:45:00&timestop=18:48:00


New connection can''t be established before timestart and after
timestop,
but how to terminate established connections?

Thank you for any advice.
-- 
Karel Ziegler

 e-mail:    ziegleka@gmail.com
 mobil:     +420 732 849 853


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

On 10/18/2013 10:17 AM, kAja Ziegler wrote:
> Hi,
> 
>   how to define time limited DNAT rule?
> 
> SECTION ESTABLISHED
> 
> # I don''t know what to put here
> 
> SECTION RELATED
> 
> # I don''t know what to put here
> 
> SECTION NEW
> 
>
############################################################################################################################################################################
> #ACTION     SOURCE    DEST                       PROTO   DEST   
> SOURCE     ORIGINAL           RATE     USER/   MARK    CONNLIMIT       TIME
> #                                                        PORT   
> PORT(S)    DEST               LIMIT    GROUP
> 
> SSH(DNAT)   net       loc:$SERVER_INT_ADDR       -       -      
> -          $SERVER_PUB_ADDR   -        -       -       -              
> timestart=18:45:00&timestop=18:48:00
> 
> 
> New connection can''t be established before timestart and after
timestop,
> but how to terminate established connections?
> 
?SECTION ESTABLISHED
SSH(REJECT) net loc:$SERVER_INT_ADDR - - $SERVER_PUB_ADDR ;\
time=start=18:48

And be sure FASTACCEPT=No in shorewall.conf

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

On 10/18/2013 10:47 AM, Tom Eastep wrote:
> On 10/18/2013 10:17 AM, kAja Ziegler wrote:
>> Hi,
>>
>>   how to define time limited DNAT rule?
>>
>> SECTION ESTABLISHED
>>
>> # I don''t know what to put here
>>
>> SECTION RELATED
>>
>> # I don''t know what to put here
>>
>> SECTION NEW
>>
>>
############################################################################################################################################################################
>> #ACTION     SOURCE    DEST                       PROTO   DEST   
>> SOURCE     ORIGINAL           RATE     USER/   MARK    CONNLIMIT      
TIME
>> #                                                        PORT   
>> PORT(S)    DEST               LIMIT    GROUP
>>
>> SSH(DNAT)   net       loc:$SERVER_INT_ADDR       -       -      
>> -          $SERVER_PUB_ADDR   -        -       -       -              
>> timestart=18:45:00&timestop=18:48:00
>>
>>
>> New connection can''t be established before timestart and after
timestop,
>> but how to terminate established connections?
>>
> 
> ?SECTION ESTABLISHED
> SSH(REJECT) net loc:$SERVER_INT_ADDR - - $SERVER_PUB_ADDR ;\
> time=start=18:48
That should be: time=timestart=18:48
> 
> And be sure FASTACCEPT=No in shorewall.conf
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

Thank you, it works.

-- 
Karel Ziegler

 e-mail:    ziegleka@gmail.com



On Fri, Oct 18, 2013 at 7:54 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 10/18/2013 10:47 AM, Tom Eastep wrote:
> > On 10/18/2013 10:17 AM, kAja Ziegler wrote:
> >> Hi,
> >>
> >>   how to define time limited DNAT rule?
> >>
> >> SECTION ESTABLISHED
> >>
> >> # I don''t know what to put here
> >>
> >> SECTION RELATED
> >>
> >> # I don''t know what to put here
> >>
> >> SECTION NEW
> >>
> >>
>
############################################################################################################################################################################
> >> #ACTION     SOURCE    DEST                       PROTO   DEST
> >> SOURCE     ORIGINAL           RATE     USER/   MARK    CONNLIMIT
> TIME
> >> #                                                        PORT
> >> PORT(S)    DEST               LIMIT    GROUP
> >>
> >> SSH(DNAT)   net       loc:$SERVER_INT_ADDR       -       -
> >> -          $SERVER_PUB_ADDR   -        -       -       -
> >> timestart=18:45:00&timestop=18:48:00
> >>
> >>
> >> New connection can''t be established before timestart and
after timestop,
> >> but how to terminate established connections?
> >>
> >
> > ?SECTION ESTABLISHED
> > SSH(REJECT) net loc:$SERVER_INT_ADDR - - $SERVER_PUB_ADDR ;\
> > time=start=18:48
>
> That should be: time=timestart=18:48
>
> >
> > And be sure FASTACCEPT=No in shorewall.conf
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register
>
>
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk