[Shorewall-users] [Fwd: Re: [Shorewall-devel] An idea]

Pascal DeMilly list.shorewall@newgenesys.com
18 Jan 2002 16:36:27 -0800


--=-HftN+9CtLOYjX2UBGhis
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Oops! It was meant for the list. Sorry. See message below



--=-HftN+9CtLOYjX2UBGhis
Content-Disposition: inline
Content-Description: Forwarded message - Re: [Shorewall-devel] An idea
Content-Type: message/rfc822

Subject: Re: [Shorewall-devel] An idea
From: Pascal DeMilly <list.shorewall@newgenesys.com>
To: Tom Eastep <teastep@shorewall.net>
In-Reply-To: <20020118170851.8B288ACF6@mail.shorewall.net>
References: <20020118170851.8B288ACF6@mail.shorewall.net>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution/1.0.1 
Date: 18 Jan 2002 11:58:12 -0800
Message-Id: <1011383892.30920.91.camel@dell>
Mime-Version: 1.0

Could it be the right place to add MAC matching. So if an address looks
like a MAC address it could be filtered ?

Just an idea!

Pascal

On Fri, 2002-01-18 at 09:08, Tom Eastep wrote:
> A recent request to provide a way to block access to certain websites (banner 
> ads) led me to an idea.
> 
> a) A new directory /etc/shorewall/lists
> b) In this directory, are files containing lists of IP addresses and/or 
> subnets
> c) a new JUMP rule:
> 
> 	JUMP:list1	loc	net	tcp	http
> 
> d) By default, matching in the list would be by destination address and if a 
> match was found, the connection request would be REJECTed
> e) The default behavior could be overridden through entries in a list:
> 
> 	SOURCE:ACCEPT
> 
>    for example would match on the source address and would accept the
>    connection request.
> 
> f) Multiple match and disposition specifications could be in a file:
> 
> 	SOURCE:ACCEPT
> 	1.2.3.4
> 	4.5.6.0/24
> 	SOURCE:REJECT
> 	0.0.0.0
> 
>    would accept requests from 1.2.3.4 and from 4.5.6.0/24 and would reject
>    all other requests.
> 
> g) Lists could themselves have JUMP commands embedded (iptables catches 
> loops):
> 
> 	JUMP:list2
> 
>    We might also consider jump as a possible disposition for a list:
> 
> 	SOURCE:JUMP:list12
> 
>    so that a logical ANDing of two lists could be implemented by the user.
> 
> h) "shorewall refresh" would refresh the list contents. Each list would 
>    cause a chain with the same name to be created and JUMP rules would 
>    simply cause a jump to the corresponding chain.
> 
> Are any of you interested in implementing such a thing? If so, let me know.
> 
> -Tom
> -- 
> Tom Eastep    \ A Firewall for Linux 2.4.*
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-devel


--=-HftN+9CtLOYjX2UBGhis--