[Shorewall-users] Allow Microsoft Activation & Updates

David Hollis dhollis at davehollis.com
Thu Sep 9 06:52:06 PDT 2004

On Wed, 2004-09-08 at 23:36 -0700, mynullvoid wrote:
> Hi,
> I had set rules so that my client can only visit few
> sites instead of the whole net.
> My question is, how can I allow my client to activate
> it's product key and also to run windows update?
> One more thing is, can I use domain name in the rule
> config? if yes, can I put just microsoft.com to refer
> to aaa.microsoft.com bbb.microsoft.com?
> Please advice

When you use a fqdn for a rule in shorewall, it will be resolved to it's
IP address for the rule by iptables.  netfilter has no way of knowing
that the packet is intended to go to xyz.microsoft.com, it only knows
that it is going to on 607/tcp or whatever.  To accomplish
what you want, you could setup a squid proxy and use it's acl's to
allow/deny web access to various sites, networks, etc.  You can use the
transparent proxy capability via the REDIRECT rule type in shorewall so
that it "just works" (tm) for end users.

David Hollis <dhollis at davehollis.com>

More information about the Shorewall-users mailing list