[Shorewall-users] (no subject)

Tom Eastep teastep@shorewall.net
Wed, 24 Apr 2002 15:51:22 -0700 (PDT)


On Thu, 25 Apr 2002, Paul Gear wrote:

> Paul Gear wrote:
> 
> > Aaron Axelsen wrote:
> >
> > > Is there anyway to block all outgoing access to a certain ip with
> > > shorewall?
> >
> > Add the hosts to a zone called "ban" or something like that, and set
> > the policy from "all" to "ban" as DROP.
> 
> BTW, folks, this is really the best way to implement a "whitelist",
> too.  Just make a zone called "wl" (or "ok", or whatever your
> preference), add the hosts to it, and set the policy to ACCEPT.
> 
> The whitelist feature is just a way of condescending to people who
> can't figure out their Shorewall hosts file.  Tom is a crowd-pleaser.
> ;-)
> 

There is actually a key difference between the use of zones and the 
xxxlist implementations. The lists can be updated using just the refresh 
command whereas changes to zones don't occur until the firewall is totally 
restarted.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net