Tom Eastep wrote: > I am forwarding this post to the Shorewall Users mailing list. The email > address '[EMAIL PROTECTED]' is reserved for sending large or > confidential attachments to the Shorewall support team. > > See http://www.shorewall.net/support.htm > > -Tom > > -------- Original Message -------- > Subject: Question > Date: Mon, 20 Oct 2008 11:30:04 +0000 > From: Raul <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > Good morning, > i'm trying to configure shorewall firewall in my laptop to reject all > conections to the site http://www.marca.com. My laptop is in the local > > #ACTION SOURCE DESTINATION PROTO DEST PORT(S) > #REJECT fw net:194.224.66.0/24 tcp 80 > #ACTION SOURCE DESTINATION PROTO > REJECT net:eth0:194.224.66.0-194.224.66.255 fw
> > With this configuration i think it should work fine but it doesnt. Where > is the problem?. As you are discovering, a packet filter like Shorewall is a very poor tool for restricting web access. See here: ursa:/home/teastep/shorewallBuild/4.2 # dig www.marca.com ; <<>> DiG 9.4.2-P1 <<>> www.marca.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.marca.com. IN A ;; ANSWER SECTION: www.marca.com. 86400 IN CNAME www.marca.com.edgesuite.net. www.marca.com.edgesuite.net. 21600 IN CNAME a751.g.akamai.net. a751.g.akamai.net. 20 IN A 72.246.51.56 a751.g.akamai.net. 20 IN A 72.246.51.104 Neither of those addresses are in the range you are blocking. Also, look at the TTL on those entries -- 20 Seconds! So in 20 seconds, you get a totally different answer: ursa:/home/teastep/shorewallBuild/4.2 # dig www.marca.com ; <<>> DiG 9.4.2-P1 <<>> www.marca.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.marca.com. IN A ;; ANSWER SECTION: www.marca.com. 86012 IN CNAME www.marca.com.edgesuite.net. www.marca.com.edgesuite.net. 21212 IN CNAME a751.g.akamai.net. a751.g.akamai.net. 20 IN A 204.203.18.163 a751.g.akamai.net. 20 IN A 204.203.18.138 Those addresses aren't in the range you are blocking either! I would configure squid as a proxy on your laptop and use its ACL capability to block this access. That is the correct approach. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
