SV: [Shorewall-users] Access to internet execpt some subnets

Kenneth Grande, Driftsjef aspIT AS kenneth.grande at aspit.no
Wed Jan 8 18:48:00 PST 2003


I have never used this the way you point out in your example..

ACCEPT    loc:10.0.1.10    net:!192.168.0.0/16    tcp

This is only a wild shoot.. I would need more information to get a clear
picture of your network, and fw config.

But from the information provided I would try this:

ACCEPT    loc:10.0.1.10    net:OUTSIDE_IP_OF_SONS_GW (assuming this is
in the 192.168.0.0/16 network)
ACCEPT    loc:10.0.1.10    net:INSIDE_IP_OF_COMPANY_GW (assuming this is
in the 192.168.0.0/16 network)

Again.. 

Just a wild shoot..

Best Regards,

Kenneth.

-----Opprinnelig melding-----
Fra: shorewall-users-bounces at shorewall.net
[mailto:shorewall-users-bounces at shorewall.net] På vegne av Pascal
DeMilly
Sendt: 8. januar 2003 17:38
Til: Tommy Balle
Kopi: 'Shorewall mailinglist (shorewall-users at shorewall.net)'
Emne: Re: [Shorewall-users] Access to internet execpt some subnets

You need to provide more information if you want people to help you. You
say you have 2 NIC, so show us your interface files. You say you have 2
IP address on your loc NIC. Does it mean you are using IP aliasing? If
so show us your shorewall hosts and zones file.  You say you want to
deny some users to access the net. Tell us what makes a deniable user?
IP address, then which one? You say you want to allow your son to access
the net but not your business network? Tell us then what your business
network looks like. IP address, zone ...? You say what you tried failed.
Show us your message file for the relevant error. 

Anyway if you want to prevent user from browsing, I have found that
Squid (www.squid-cache.org) is always the best alternative. It is a
little harder to setup but it offers at the end much more.

HTH

Pascal


On Wed, 2003-01-08 at 00:03, Tommy Balle wrote:
> Hello Shorewall users
>  
> I have a firewall based on RedHat 8.0 and Shorewall.
>  
> I have 2 interfaces, with 2 ip address on the loc interface, the
connection
> to the internet runs through my company's network with an ADSL/MPLS
line. I
> need to configure my Shorewall with the possiblity to deny some users'
> access to the 'net' for some subnet.
>  
> Ex. my son's machine should also run through the firewall but i don't
want
> him to access the internal network's in my company. I have tried with
the
> follow rule:
>  
> ACCEPT    loc:10.0.1.10    net:!192.168.0.0/16    tcp
> http,https,ftp,domain    -
>  
> My son's machine being 10.0.1.10.
>  
> I have read the dok. but can't see what i'm doing wrong? Any
suggestions?
>  
> Regards
>  
> Tommy Balle
>  
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users at shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
-- 
Pascal DeMilly <list.shorewall at newgenesys.com>

_______________________________________________
Shorewall-users mailing list
Shorewall-users at shorewall.net
http://mail.shorewall.net/mailman/listinfo/shorewall-users



More information about the Shorewall-users mailing list