note: W2k3 box have public ip address from 195.113.101.216/29 subnet. From the same subnet as eth1 on shorewall box.
Thanks for help. Jiří Červenka napsal(a): > Hello, > I´m running shorewall 3.0.2 on debian sarge box. > I have w2k3 box on eth1 with both public and local ip address running > FTP server. > I have set proxy arp for this host. > Now I try to drop ftp packets from one ip address in internet, but my > setup do not work. > My setup > proxyarp > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 195.113.101.221 eth1 eth0 yes yes > > rules > . > DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 > . > zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > > fw firewall > net ipv4 > loc ipv4 > wifio ipv4 > road ipv4 > > interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > tcpflags,routefilter,norfc1918,nosmurfs,blacklist > loc eth1 detect dhcp,blacklist,routeback,detectnets > wifio eth2 detect blacklist > road tap0 > > policy: > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc wifio ACCEPT > loc loc ACCEPT > loc fw ACCEPT > fw net ACCEPT > fw wifio ACCEPT > fw loc ACCEPT > net all DROP > all all REJECT > wifio net ACCEPT > wifio loc ACCEPT > wifio fw ACCEPT > road loc ACCEPT > #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > routing table: > 195.113.101.208/30 dev eth0 proto kernel scope link src 195.113.101.210 > 195.113.101.216/29 dev eth1 proto kernel scope link src 195.113.101.217 > 172.16.0.0/27 dev eth1 proto kernel scope link src 172.16.0.1 > 192.168.2.0/24 dev tap0 proto kernel scope link src 192.168.2.1 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 > 192.168.10.0/24 via 195.113.101.209 dev eth0 > 172.16.0.0/16 via 172.16.0.30 dev eth1 > default via 195.113.101.209 dev eth0 > > What could be wrong? Why shorell passes ftp conections to my ftp server? > > Thanks for any help. > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > __________ Informace od NOD32 1990 (20070119) __________ > > Tato zprava byla proverena antivirovym systemem NOD32. > http://www.nod32.cz > > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
