Pieter Ennes napsal(a): > Hi Jiří, > > Jiří Červenka wrote: > >> Hello, >> I´m running shorewall 3.0.2 on debian sarge box. >> I have w2k3 box on eth1 with both public and local ip address running >> FTP server. >> I have set proxy arp for this host. >> Now I try to drop ftp packets from one ip address in internet, but my >> setup do not work. >> My setup >> proxyarp >> #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >> 195.113.101.221 eth1 eth0 yes yes >> >> rules >> . >> DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 >> > > What about changing this to loc:[local address] in stead of loc:[public > address]? Does that help? > > Otherwise you could also consider the blacklisting feature. > No, this do not help. The conections from net goes directly to my FTP server public ip addres to port 21. > >> policy: >> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >> loc net ACCEPT >> loc wifio ACCEPT >> loc loc ACCEPT >> loc fw ACCEPT >> fw net ACCEPT >> fw wifio ACCEPT >> fw loc ACCEPT >> net all DROP >> all all REJECT >> wifio net ACCEPT >> wifio loc ACCEPT >> wifio fw ACCEPT >> road loc ACCEPT >> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> > > From the top of my head i thought that policies are matched in _order_. > If that's the case, this also might not do what you expect, no? > I´m not sure what do you mean, so I tried to move net all drop policy to top of the list, but this won´t help to.
Jiri ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
