[Shorewall-users] Address range not being blocked

Jerry Vonau jvonau at shaw.ca
Tue Jun 21 12:16:19 PDT 2005



> Jerry Vonau wrote ..
> >
> >
> > > Am 21.06.2005 16:52, jeff at palmerfamily.name schrieb:
> > >
> > > >I have the following line in the rules file:
> > > >
> > > >DROP net:211.171.0.0/10 $FW all
> > > >
> > > >It is my understanding that this should block the range
> > 211.171.0.0-211.235.255.255, yet I connections from within this range.
> > > >
> > > >
> > > Do you have a local zone behind the firewall, and are the connections
> > to
> > > these clients?
> > >
> > > Just a guess: this rule drops all connections from net:211... to the
> > > firewall, but not to the clients behind the firewall. For that, you
need
> > > to specify:
> > >
> > > DROP       net:211.171.0.0/10       loc       all
> > >
> > > where loc is the name of your local zone.
> > > Note also that shorewall does not affect already exiting connections
> > > when starting.
> > >
> > > /ben
> > >
> >
> > To cover both $FW and loc (and all other zones) with a single rule,
> > you could use:
> > DROP       net:211.171.0.0/10       all       all
> >
> > Jerry
>
> These are outside initiated connections.  I have other rules set up
exactly the same that work fine, it's just this one.  From the responses,
it appears I have the address notion correct.  What else could be the
problem?
>

I'll bet what you seeing is < 211.192.0.0.

using the online calculator at:
http://jodies.de/ipcalc?host=211.171.0.0&mask1=10&mask2=

/10 covers 211.171.0.0-211.191.255.255

/9 covers 211.171.0.0-211.255.255.255
which goes past your target of 211.235.255.255

You'll need to add the missing net blocks to cover
211.192.0.0-211.235.255.255

Jerry




More information about the Shorewall-users mailing list