[Shorewall-users] Excluding clients from rules

Markus Bossert markus.bossert@epost.de
Wed, 16 Jan 2002 23:40:00 +0100


Why can't he just put a REJECT or a DROP rule (or for surrounding squid 
another ACCEPT rule) above his ACCEPT rule for http ports since rules are 
processed until the first fitting is found, afaik?

MfG,
Markus


At 07:25 15.01.2002 -0800, Tom Eastep wrote:
>Hello Christian,
>
>On Tuesday 15 January 2002 07:07 am, Christian Lox wrote:
> > Hi everyone!
> >
> > First: Thanks for all the work on this great project.
> > I am playing around with it the whole day, but one question remains
> > (for now!)...
> >
> > Is set up a rule as described in the documentation to forward all
> > outgoing http traffic to our Squid.
> > ACCEPT    local   fw::3128     tcp     80      -       all
> >
> > This works just fine, but I have to exclude some clients from this
> > (IPs are in the local range).
> >
> > Any help appreciated!
>
>The only way that I can think of for you to do that with Shorewall is to
>place these clients in their own zone and you MUST make that zone disjoint
>from your local zone. I would need to change the structure of chains that
>Shorewall places in the nat table in order for it to work with overlapping
>zones.
>
>Sorry,
>-Tom
>--
>Tom Eastep    \ A Firewall for Linux 2.4.*
>AIM: tmeastep  \ http://www.shorewall.net
>ICQ: #60745924  \ teastep@shorewall.net
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@shorewall.net
>http://www.shorewall.net/mailman/listinfo/shorewall-users