Re: [Shorewall-users] Droping ftp conections from net to loc do not work

Fri, 19 Jan 2007 04:46:51 -0800 


Pieter Ennes napsal(a):
> Hi,
>
> Jiří Červenka wrote:
>
>   
>>> What about changing this to loc:[local address] in stead of loc:[public 
>>> address]? Does that help?
>>>
>>> Otherwise you could also consider the blacklisting feature.
>>>   
>>>       
>> No, this do not help. The conections from net goes directly to my FTP 
>> server public ip addres to port 21.
>>     
>
> What exactly doesn't help, replacing the IP address or using the blacklist?
>   
Using black list helped, replacing not. But I want to be able to control 
this by rules file.
>   
>>>> policy:
>>>> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
>>>> loc             net             ACCEPT
>>>> loc             wifio           ACCEPT
>>>> loc             loc             ACCEPT
>>>> loc             fw              ACCEPT
>>>> fw              net             ACCEPT
>>>> fw              wifio           ACCEPT
>>>> fw              loc             ACCEPT
>>>> net             all             DROP
>>>> all             all             REJECT
>>>> wifio           net             ACCEPT
>>>> wifio           loc             ACCEPT
>>>> wifio           fw              ACCEPT
>>>> road            loc             ACCEPT
>>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>>>     
>>>>         
>>>  From the top of my head i thought that policies are matched in _order_. 
>>> If that's the case, this also might not do what you expect, no?
>>>   
>>>       
>> I´m not sure what do you mean, so I tried to move net all drop policy to 
>> top of the list, but this won´t help to.
>>     
>
> Well, in the comment in that file it says:
>
> "For each source/destination pair, the file is processed in order until 
> a match is found ("all" will match any client or server)."
>
> So i don't think your bottom policies will ever be reached because you 
> have put them behind an 'all all reject'.
>   
Now I understand. Thanks.
Nevertheless, still I ´m not sure why DROP rule in rule did not work.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to