[Shorewall-users] Excluding clients from rules

Markus Bossert markus.bossert@epost.de
Wed, 16 Jan 2002 23:40:00 +0100

Why can't he just put a REJECT or a DROP rule (or for surrounding squid 
another ACCEPT rule) above his ACCEPT rule for http ports since rules are 
processed until the first fitting is found, afaik?


At 07:25 15.01.2002 -0800, Tom Eastep wrote:
>Hello Christian,
>On Tuesday 15 January 2002 07:07 am, Christian Lox wrote:
> > Hi everyone!
> >
> > First: Thanks for all the work on this great project.
> > I am playing around with it the whole day, but one question remains
> > (for now!)...
> >
> > Is set up a rule as described in the documentation to forward all
> > outgoing http traffic to our Squid.
> > ACCEPT    local   fw::3128     tcp     80      -       all
> >
> > This works just fine, but I have to exclude some clients from this
> > (IPs are in the local range).
> >
> > Any help appreciated!
>The only way that I can think of for you to do that with Shorewall is to
>place these clients in their own zone and you MUST make that zone disjoint
>from your local zone. I would need to change the structure of chains that
>Shorewall places in the nat table in order for it to work with overlapping
>Tom Eastep    \ A Firewall for Linux 2.4.*
>AIM: tmeastep  \ http://www.shorewall.net
>ICQ: #60745924  \ teastep@shorewall.net
>Shorewall-users mailing list