similar to: How to specify in a rule all the IP addresses belonging to <domain.xyz>

I have a DMZ (eth2: 10.0.100.0) and a LOC1 (eth0: 10.0.0.0) defined on my firewall. On one of the port on the switch serving LOC1 I have now a router and a switch feeding a bunch of computers with net=10.0.200.0. While I have defined a route to reach LOC2, I would like to define also a specific zone in order to assign different rules to it. Is it possible ? if yes, what is the syntax of the

Having moved from a "cascading LANs" configuration to two independent LANs on eth0 and eth1, I still get some "state INVALID" for which I am not sure what the cause is. Can somebody help me understand its probable origin? Thanks, Costantino [see attachment]

I know that Shorewall is not for content control, but until such day that I get the time to set-up squid, what is the best way to prevent machines on LOC from reaching a bunch of sites contained in a list with about 30 to 40 IP addresses or FQDN entries ? The blacklist look only at the SRC field of the packet, right? Thanks, Costantino. --------------------------------- Do you Yahoo!?

I''ve found the below rule, is it possible to use it with shorewall? I see how to setup the timing/rates but how to perform loggin of such action (a separate rule?). as an additional question is i possible to dynamically add hosts to blacklist and persist this between restarts? " SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j

I have a rule setup to transparently proxy all normal web traffic through Dan''s Guardian for filtering. However, there are a few sites that simply do not work right through a transparent proxy. The biggest of these is yahoo mail. Most sites are not a problem to add to the exemption list. Yahoo, however, apparently uses many servers for the webmail system. There is the main server

Hello list, I discover strange behaviour of shaping traffic that i setup from Shorewall-4.0.2. I know that this is not Shorewall problem but may be somebody from list can help me or explain this situation. I have follow interfaces in 'tcdevices' files: #INTERFACE IN-BANDWITH OUT-BANDWIDTH # $EXT_IF 500kbit 248kbit $INT1_IF 500mbit

Cristian and Alex, Both of you have asked about this. A routing table can only have one default route so when the second link comes up, adding the second default route will fail. So in general, Shorewall can only reliably detect the gateway for P-T-P connections which is what the CVS current code does. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \

hi, i have shorewall-2.0.9 installed for my pc,i configured it for one-interface,the policy is: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info now i want to let some ip addresses from the

i am doing a clean install on fedora core 2 using the shorewall rpm and the Shorewall Setup Guide for multiple IP''s using a stock configuration except for AllowDNS and AllowWeb on the firewall (so i can post this message). my shorewall status file is attached. my setup 69.17.65.105 = firewall 69.17.65.22 = dmz server 1 69.17.65.161 = dmz server 2 my local network is

Hi, I have a setup problem with Shorewall 4.0.6, which I can''t figure out why it is not working: I want to install a fireall with 2 extra interfaces : - My serv ("dmz") zone is a /28 subnet behind eth1, with a small number of SUN servers (IPs between ABC.DEF.75.1 and .13), one of which is a DHCP server for the 75 subnet. - The loc zone are PCs in the 75 subnet behind eth2

We are using Shorewall 2.0.8 with SuSE 9.1 and have built a bridging firewall primarily to defend against syn flood and smurf DoS attacks. We are a small ISP using Cisco routers for a total of 5-6 subnets. Since bridges are based on use of MAC addresses, if we could use one bridging firewall system instead of 5-6 ... is this possible? practical? (Other than introducing a single point of failure

Dear all, I am using shorewall 2.0.3a is this redirection rule forward all requests coming to IPADDRESS:80 to 192.168.0.5:80 Rule: DNAT net loc:192.168.0.5 tcp 80 - IPaddress Regards, - sree

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over the past weekend, I added SPF screening on the MTA at shorewall.net. SPF is a mechanism for a domain to use DNS to publish a list of those IP addresses that are used to send legitimate email from that domain. A receiving MTA can use that published information to determine if email from a domain is being sent through an MTA belonging to that

Hi, At the moment I am controlling my LAN client access to the Inet by their MAC address. Currently I am putting their MAC address in the rules file - now the number of the PC that I want to manage is getting more and more and it is not practicle to do this way anymore. My question is, how can I have their MAC address in other separate file? Regards http://www.debian.org/consultants/#Malaysia

Hello there, I can modify /etc/shorewall/tcdevices to control overall IN-BANDWITH. It is quite effective. Just change 2mbit to 128kbit. However, how do I limit download speed for a certain host IP on the LAN? I want to limit host 192.168.1.140 download speed to 128Kbit. Other hosts on the 192.168.1.0 LAN can still surf at 2mbit. Any input welcome. Kind Regards, Michael

When searching in google I could verify that many examples of used rules in shorewall do not exist to block port scanners external. Example: nmap. Somebody has some rule or example ? thanks.

Hi, I am having problem in getting my fw to connect to the net, I had set allow fw net in the policy. I suspect maybe shorewall having problem because I have 5 public IP alias to my fw, which is eth0, eth0:1-eth0:4. Because before I add more ip to this interface my fw able to connect to the net. How can I set one IP to be bind to this fw, or I had to change the rules from fw to fw:w.x.y.z? One

Dear friends, this time I have a problem with using waba function. Firstly, I'll explain you my situation. In the survey a gruop of supervisors judge the dipendents of a company. One supervisor reported on more than one subordinate. Thus, I need to show that lack of independence is not a problem, and a reviewer told me to use WABA. The question is, how? In which way i can build my X and Y?

Hi, I plug my laptop in different networks and use the following hack to configure automatically shorewall for trusted/untrusted networks: In /etc/shorewall/params: # none is a dummy zone associated to the loopback interface NONE="none:0.0.0.0" # Network scheme, automatically detected by intuitively NETWORK_SCHEME="$(cat /etc/network/scheme 2>/dev/null)" case

Hi, I am using Shorewall in Adamantix. At the moment everything flow fine, my question is that how can I filter the access by computer mac address, I had read the documentation maybe I am ''stupid enough to spot the guide, if so please show me''. What is the rules line if I want to 1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 to access 202.202.202.202