Re: [Shorewall-users] Multiple ipsets

Dik .... Mon, 12 Dec 2016 10:23:11 -0800

Thank you

________________________________
From: Tom Eastep <teas...@shorewall.net>
Sent: 12 December 2016 16:55:31
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Multiple ipsets


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/12/2016 03:59 AM, Dik .... wrote:
> shorewall version 4.5.5.3
>
> I am trying to use some ipsets to protect a specific service. When
> using a single ipset containing my own ip it works as expected with
> following in /etc/shorewall/rules :
>
> DNAT    net:!+myip     dmz:10.0.0.101  tcp   443                  -
>  xxx.xxx.xxx.xxx
>
> The documentation says that I can add multiple ipsets with !+[...].
> When I create a second ipset and add it as described I am no longer
> prevented from accessing the service from my own ip :
>
> DNAT    net:!+[ipset,myip]     dmz:10.0.0.101  tcp   443
>  -       xxx.xxx.xxx.xxx
>
> I presume that this means that neither ipset is working.
>

What you have above excludes only source addresses that are in *BOTH*
ipsets. You wanted this instead:

DNAT    net:!+ipset,+myip       dmz:...

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYTtaCAAoJEJbms/JCOk0QHywP/1RNIeqFm/O3u/9hy38HVyQF
oySkmAdZnew7FQjfdGGfrmCA7Ir6nIE1PwSASVMUkGCikVHcDlI/7jkckct3OdAf
gMY8WDXXnSgg5x5PBsmJdWdHKkhJDgCSTz3bxwarTzmGVAOmT7H5qbzNJBAX2GRQ
vTsoA7daPFq+ohDOhmzAM8blhjzTzGf3JTVZwPS+I26cK+ig7GfiDDxkLWxdkaI7
PZN93zA3NuKZTDAcRo5o3WeWOGvhWksQW9m0XhSTIE5oV/gLJh5vpTNdfiWNlgQe
OGOeMmfddvj+vItwsjB5wLXAS/aQLle/AOtg+kZxGKvlkAAizZ4tlSP5gd/Td9+4
KhMOfcns9hs4GFr6hcoaUCUcsay2H1Qkwoub0sVDnnNCNUKGcMyrAjZ0D2PQByru
47k1HAf+2wcLEMKdA7XvkTgdXYJOSE14FcSNZBWHwfYd8mHcNoyaEK2XINj1/yx6
PClHsYHzIDPh+OrHpa/dMsCHOeooig9iHr9QtG4ttsRCci21bjX8b2rM6lHydwl9
FlvNnOq5XWrOTb2vt5dOyy3YN5+0UG6tXg1zFmrnSbcpc2AjDCRYhXacknBRteRW
HND3R8PAMOOdOk8NFbz/qygK+FT8ivyTmNfLh9m1R1FWWZBOf9bejMHj51CkSQ7L
ZdWhbxhxHEXj0+wkFPqp
=aAiK
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Multiple ipsets

Reply via email to