Paul Gear wrote:
Anna Jonna Armannsdottir wrote:Hi folks!I am learning how to use Shorewall and it has been a nice experience. My University has a range of IP numbers, under the same domain. They have been named hiis after the domain name. This is done in the hosts file. My problem is that I can not avoid using the hosts configuration. My Question is: Is it possible to achieve this without using the hosts configuration? ... #ZONE HOST(S) OPTIONS hiis eth2:130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18 \ tcpflags any eth2:0.0.0.0/0 tcpflagsAn alternative is to put those IP addresses in params like this: HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18 and then add a rule that checks for it, e.g.: ACCEPT any:$HIIS $FW tcp 80
Another thing that you can consider is to combine the shell variable with an action:
/etc/shorewall/params: HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18 /etc/shorewall/actions: hiis /etc/shorewall/action.hiis ACCEPT $HIIS /etc/shorewall/rules hiis all $FW tcp 80The advantage of this approach is that only TCP connections to port 80 go through the 'hiis' action chain. If you do it as Paul suggests, ALL connection requests go through a series of 5 rules, each of which tests for tcp port 80 and a particular source network.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
