On 9/5/10 11:22 AM, Mr Dash Four wrote: > >> The shorewall-blacklist man page also makes this point. >> > It says on the man page that the to/from option "indicates whether > traffic to or from the ADDRESS/SUBNET should be blacklisted" - that, to > me, clearly says that bidirectional traffic on my interface should be > blacklisted, right? In my simple scenario I only have one interface, and > it has the blacklist option set in it, so presumably traffic TO > blacklisted addresses (originating from my machine) as well as coming > FROM blacklisted addresses (and addressed to my machine) should both be > blacklisted, right? If so, should I expect to see a reference to > 'blacklst' in my fw2net chain?
You can't just read what you want to read and ignore the rest. The man page goes on to say: Note: Blacklisting is still restricted to traffic arriving on an interface that has the ´blacklist´ option set. So to block traffic from your local network to an internet host, you must specify blacklist on your internal interface in shorewall-interfaces[1] (5). You should not expect to see a reference to 'blacklist' in your fw2net chain since such traffic could not possibly have arrived on an interface that has the 'blacklist' option set. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
