On Sun, 12 Jan 2014, Tom Eastep wrote: >> Rules ARE active. >> >> They are simply: >> >> DNS(ACCEPT) dmz:192.168.110.0/24 all >> #DNS(ACCEPT) dmz all >> #ACCEPT dmz:192.168.110.0/24 all udp 53,953 >> #LOG:6 dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp >> DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp >> >> Commented line are some attempts (that don't change the result). >> >>> Also, please add logging to your DROP rule(s). >> >> If you specify me what syntax do you want, I do. >> >> In the meantime, this is another dump (after a restart of Shorewall) >> >> http://apf.it/140112sh-dump.gz >> >> Thanks, P. >> >> P.S.: my conf isn't clean, because this is a proxmox host with some VM in >> more differents DMZ segment that evolved in many years, but all is fine >> (for my need, probably can be do better), except for this UDP things that >> not works as expected for the involved VM (both OpenVZ and KVM). >> > > I don't see the DNS(ACCEPT) rule in the dump at all. > > - What are the contents of /usr/share/shorewall/macro.DNS on your system?
# cat /usr/share/shorewall/macro.DNS # # Shorewall version 4 - DNS Macro # # /usr/share/shorewall/macro.DNS # # This macro handles DNS traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 53 PARAM - - tcp 53 > - What is the line immediately before that rule in /etc/shorewall/rules? Empty: ------------------------------------------ # DNS(ACCEPT) dmz:192.168.110.0/24 all #DNS(ACCEPT) dmz all ------------------------------------------ > - Do you have a file named macro.DNS in /etc/shorewall/? No. And, as I previously specified, if I replace the rule DNS(ACCEPT) with a rule like: ACCEPT dmz:192.168.110.0/24 all udp 53,953 or (just for ...): ACCEPT dmz:192.168.110.0/24 all tcp 53,953 ACCEPT dmz:192.168.110.0/24 all udp 53,953 That I think is the same of the macro, nothing change. It isn't really a problem for me, but I am interested to understand why this rules doesn't work as expected. My best solutions (that I suppose (and seems), to do what I want (block all UDP traffic except DNS)), is this single line rule: DROP dmz:192.168.110.0/24 net udp !53 but I still am curious to know why the previous couple of rules doesn't work :-) Regards, P. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
