I use IPSETs in SW for mass access blocking. The block's in /conntrack
/conntrack
?FORMAT 3
NOTRACK +IPBLACKLIST_IP -
NOTRACK +IPBLACKLIST_NET -
DROP:P +IPPESTS_IP -
DROP:P +IPPESTS_NET -
...
Those blacklists are populated by exernal feeds. I do not edit/modify
individual elements; simply retrieve the data and load the IPSETs.
It works as expected.
I want to punch a specific hole for accessing webcontent, from my LAN, @ a
specific IP range that's been blanket-included in the above blacklist.
I create a hash:ip & hash:ip IPSETs containing the ip range to be whitelisted,
and allow the traffic in /rules
/rules
...
ACCEPT $FW net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp
ACCEPT lan net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp
...
This does NOT open the access; it remains blocked.
I suspect it's because the DROP:P is in pre-routing chain, and I'm not
ACCEPTing early enough.
Given the global block in /conntrack should stay as is, what's the right way to
punch specific, whitelisted holes in the blacklists?
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
