SV: [Shorewall-users] Access to internet execpt some subnets

Kenneth Grande, Driftsjef aspIT AS kenneth.grande at
Wed Jan 8 18:48:00 PST 2003

I have never used this the way you point out in your example..

ACCEPT    loc:    net:!    tcp

This is only a wild shoot.. I would need more information to get a clear
picture of your network, and fw config.

But from the information provided I would try this:

ACCEPT    loc:    net:OUTSIDE_IP_OF_SONS_GW (assuming this is
in the network)
ACCEPT    loc:    net:INSIDE_IP_OF_COMPANY_GW (assuming this is
in the network)


Just a wild shoot..

Best Regards,


-----Opprinnelig melding-----
Fra: shorewall-users-bounces at
[mailto:shorewall-users-bounces at] På vegne av Pascal
Sendt: 8. januar 2003 17:38
Til: Tommy Balle
Kopi: 'Shorewall mailinglist (shorewall-users at'
Emne: Re: [Shorewall-users] Access to internet execpt some subnets

You need to provide more information if you want people to help you. You
say you have 2 NIC, so show us your interface files. You say you have 2
IP address on your loc NIC. Does it mean you are using IP aliasing? If
so show us your shorewall hosts and zones file.  You say you want to
deny some users to access the net. Tell us what makes a deniable user?
IP address, then which one? You say you want to allow your son to access
the net but not your business network? Tell us then what your business
network looks like. IP address, zone ...? You say what you tried failed.
Show us your message file for the relevant error. 

Anyway if you want to prevent user from browsing, I have found that
Squid ( is always the best alternative. It is a
little harder to setup but it offers at the end much more.



On Wed, 2003-01-08 at 00:03, Tommy Balle wrote:
> Hello Shorewall users
> I have a firewall based on RedHat 8.0 and Shorewall.
> I have 2 interfaces, with 2 ip address on the loc interface, the
> to the internet runs through my company's network with an ADSL/MPLS
line. I
> need to configure my Shorewall with the possiblity to deny some users'
> access to the 'net' for some subnet.
> Ex. my son's machine should also run through the firewall but i don't
> him to access the internal network's in my company. I have tried with
> follow rule:
> ACCEPT    loc:    net:!    tcp
> http,https,ftp,domain    -
> My son's machine being
> I have read the dok. but can't see what i'm doing wrong? Any
> Regards
> Tommy Balle
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users at
Pascal DeMilly <list.shorewall at>

Shorewall-users mailing list
Shorewall-users at

More information about the Shorewall-users mailing list