On 1/12/2014 9:04 AM, Paolo Andretta wrote: > On Sun, 12 Jan 2014, Tom Eastep wrote: > >>> Rules ARE active. >>> >>> They are simply: >>> >>> DNS(ACCEPT) dmz:192.168.110.0/24 all >>> #DNS(ACCEPT) dmz all >>> #ACCEPT dmz:192.168.110.0/24 all udp 53,953 >>> #LOG:6 dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp >>> DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp >>> >>> Commented line are some attempts (that don't change the result). >>> >>>> Also, please add logging to your DROP rule(s). >>> >>> If you specify me what syntax do you want, I do. >>> >>> In the meantime, this is another dump (after a restart of Shorewall) >>> >>> http://apf.it/140112sh-dump.gz >>> >>> Thanks, P. >>> >>> P.S.: my conf isn't clean, because this is a proxmox host with some VM in >>> more differents DMZ segment that evolved in many years, but all is fine >>> (for my need, probably can be do better), except for this UDP things that >>> not works as expected for the involved VM (both OpenVZ and KVM). >>> >> >> I don't see the DNS(ACCEPT) rule in the dump at all. >> >> - What are the contents of /usr/share/shorewall/macro.DNS on your system? > > # cat /usr/share/shorewall/macro.DNS > # > # Shorewall version 4 - DNS Macro > # > # /usr/share/shorewall/macro.DNS > # > # This macro handles DNS traffic. > # > ############################################################################### > #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ > # PORT(S) PORT(S) LIMIT GROUP > PARAM - - udp 53 > PARAM - - tcp 53 > > >> - What is the line immediately before that rule in /etc/shorewall/rules? > > Empty: > > ------------------------------------------ > # > > DNS(ACCEPT) dmz:192.168.110.0/24 all > > #DNS(ACCEPT) dmz all > ------------------------------------------ > > >> - Do you have a file named macro.DNS in /etc/shorewall/? > > No. > > > And, as I previously specified, if I replace the rule DNS(ACCEPT) with a > rule like: > > ACCEPT dmz:192.168.110.0/24 all udp 53,953 > > or (just for ...): > > ACCEPT dmz:192.168.110.0/24 all tcp 53,953 > ACCEPT dmz:192.168.110.0/24 all udp 53,953 > > That I think is the same of the macro, nothing change. > > It isn't really a problem for me, but I am interested to understand why > this rules doesn't work as expected. > > > My best solutions (that I suppose (and seems), to do what I want (block > all UDP traffic except DNS)), is this single line rule: > > DROP dmz:192.168.110.0/24 net udp !53 > > but I still am curious to know why the previous couple of rules doesn't > work :-)
Please 'shorewall -vvv check > check' and send me the 'check' file. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
