Hi Jiří, Jiří Červenka wrote: > Hello, > I´m running shorewall 3.0.2 on debian sarge box. > I have w2k3 box on eth1 with both public and local ip address running > FTP server. > I have set proxy arp for this host. > Now I try to drop ftp packets from one ip address in internet, but my > setup do not work. > My setup > proxyarp > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 195.113.101.221 eth1 eth0 yes yes > > rules > . > DROP net:193.171.155.10 loc:195.113.101.221 tcp 21
What about changing this to loc:[local address] in stead of loc:[public address]? Does that help? Otherwise you could also consider the blacklisting feature. > policy: > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc wifio ACCEPT > loc loc ACCEPT > loc fw ACCEPT > fw net ACCEPT > fw wifio ACCEPT > fw loc ACCEPT > net all DROP > all all REJECT > wifio net ACCEPT > wifio loc ACCEPT > wifio fw ACCEPT > road loc ACCEPT > #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE From the top of my head i thought that policies are matched in _order_. If that's the case, this also might not do what you expect, no? -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
