[Shorewall-users] DROP in Rules, with smb port 138 ?
Tom Eastep
teastep at shorewall.net
Thu Aug 21 16:32:56 PDT 2003
On Thu, 2003-08-21 at 08:11, Tom Eastep wrote:
> On Thu, 2003-08-21 at 08:09, Tom Eastep wrote:
>
> >
> > Using Shorewall 1.4.6b, you should be able to code this as:
> >
> > DROP:info svr:!192.168.168.72,192.168.168.1 fw udp 137:139,513
> >
> > And have it do what you want.
> >
>
> Oops -- that has only been implemented for DNAT and REDIRECT rules so
> you will have to use the other solution that I offered.
Sigh -- it isn't implemented in those cases either; I was confusing this
case with another case that I did handle recently (see below).
The basic problem here is that with iptables, in order to handle the
situation:
if NOT (a OR b OR c ) then <rule>
an additional "helper" chain is required.
This "helper" chain contains:
if a then RETURN
if b then RETURN
if c then RETURN
<rule>
The relevant rule chain then has a jump to this helper chain.
Shorewall currently isn't smart enough to do that. Your original rule
was:
DROP:info svr:!192.168.168.72,!192.168.168.1 fw udp 137:139,513
Shorewall converts this into:
if source not 192.168.168.72 then DROP
if source not 192.168.168.1 then DROP
So the first Shorewall-generated rule drops traffic from 192.168.168.1
and the second rule drops traffic from 192.168.168.72.
Note that the above treatment is not as irrational as it looks since
Shorewall applies the same algorithm for this case:
DROP:info svr:192.168.168.72,192.168.168.1 fw udp 137:139,513
In that case, the Shorewall-generated rules do what you intend.
if source is 192.168.168.72 then DROP
if source is 192.168.168.1 then DROP
Some time ago, I looked at trying to solve this problem and the current
code structure makes it too difficult to attempt. And as I pointed out
in my original response in this thread, there is an easy workaround.
What I DID implement was:
DNAT z1 z2 proto port - !addr1,addr2,...
That allows multiple destination addresses to be excluded from a DNAT
rule and uses the "helper" chain technique described above.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users
mailing list