Re: [Shorewall-users] ipsets in dest column ( NO HTML )

On Apr 28, 2011, at 3:31 AM, Harry Lachanas <grharry@freemail.gr> wrote:

>> On Apr 27, 2011, at 2:25 PM, Mr Dash Four<mr.dash.four@googlemail.com> wrote:
>>
>>>> This is not a Shorewall restriction but is rather a restriction of ipsets
>>>>
>>>>> while on an old system with shorewall 3.4.8 on it it passes OK.
>>>>>
>>> Can you read?
>>>
>> I can read fine. But the OPs assertion that this worked in Shorewall 3 is nonsense. The syntax shown in his rule wasn't introduced until Shorewall 4.4.14.
>>
>> -Tom
> ( Sorry for the previous HTML message )
>
> Tom,
> a) I am sorry about the syntax simplification ( I always try to express myself in a *non-nonsense* manner ).
> b) I know that It is Introduced in 4.4.14 ( I read the list for a decade almost ).
> c) I've stated that this rule *passes*. Well I am sorry I should have stated *"The similar rule passes"*.
> d) I am *not* a law professional that tries to defend his case.
> e) I rarely use the term *nonsense* for other people I find it kind of rude, offensive and aggressive.
>
>
> So the actual rule used for 3.4.8 is:
>
> #--------------------------------
>
> DNAT loc:$LOCIF:!+net_direct,+noproxyhosts,+abusers dmz:$SQSRV:$PROXYPORT tcp 80 - !+no_squid_hosts,+no_squid_nets
>
> #--------------------------------
>
> The variables used are self-explanatory
>
> while
>
> Shorewall version
> 3.4.8
>
> Shorewall show nat
> indicates in the segment of interest
>
> Chain excl_9 (1 references)
> pkts bytes target prot opt in out source destination
> 2529 162K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 set net_direct src
> 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 set noproxyhosts src
> 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 set abusers src
> 1 48 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 set no_squid_hosts dst
> 1 52 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 set no_squid_nets dst
> 13506 711K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.0.173.5:3128
> --------------------------------------------------------------------------------------------------------------
>
> The rule is tested and it works ok So far.
> If wished I can provide a shorewall dump.
> Other than that
> I rest my case and speek no more.
>

I stand humbly corrected and I'll see what I can do about restoring that functionality in Shorewall 4.4.19.

-Tom
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

• This message: [ Message body ]
• Next message: Mr Dash Four: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"
• Previous message: Harry Lachanas: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"
• In reply to: Harry Lachanas: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"
• Next in thread: Mr Dash Four: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"
• Reply: Mr Dash Four: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"
• Reply: Tom Eastep: "Re: [Shorewall-users] ipsets in dest column ( NO HTML )"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]