I think I found part of the solution.
In /etc/shorewall/rules:
IPTABLES(DROP) wan1 $FW udp 53 ; -m string --algo bm --hex-string
"|01000001|"
does not work. But
iptables -I INPUT 1 -p udp --dport 53 -m string --algo bm
--hex-string "|01000001|" -j DROP
works.
I assume the place of the rule in the iptables rule set is important. In
the last case it is part of the chain INPUT and in the first case it is
part of the chain wa1-fw (of course this is specific for this server)
I would like the get it working in shorewall. Easier to maintain and
easier to make an exception for the internal systems. Is there a way to
get the rule on the correct position or chain?
Tom Eastep schreef op 8-7-2014 19:27:
> On 7/8/2014 9:45 AM, Ruud Baart wrote:
>> I have seen it and I already tried it based on your previous mail. I
>> updated shorewall to the latest version and added the rule:
>>
>> IPTABLES(DROP) wan1 $FW udp 53 ; -m string --hex-string
>> "|0000FF0001|" --algo bm
>>
>> It doesn't work the way I hoped: iptables -nvL shows 0 packets. After
>> your answer I changed the the rule to:
>> IPTABLES(DROP) wan1 $FW udp 53 ; -m string --from 50 --algo bm
>> --hex-string "|0000FF0001|"
>>
>> Still no success. But perhaps any suggestions to improve this rule?
> No, I don't.
>
> -Tom
--
Regards,
Ruud Baart
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
