I'm trying to introduce some time based rules into my shorewall firewall. I have reason to believe that my kernel and iptables installations support time matched rules (because I can create them directly using iptables), but I can't get shorewall to create any.
AFAICT all I need to do is create the correct entry in /etc/shorewall/rules but I'm having difficulty and, surprisingly, I can't get Google to help me. If anyone could point me to an example of a working rules file, or point out how I could get some better diagnostics then I'd be very gratefull. I've included everything I think might be relevant below. Sorry for the long posting. Thanks -------------------------------------------------------------------------------------------------------------------- What I'm running: Fedora Core 10 # uname -r 2.6.27.21-170.2.56.fc10.i586 # rpm -qa | grep iptables iptables-1.4.3.2-1.fc10.i386 iptables-ipv6-1.4.3.2-1.fc10.i386 # rpm -qa | grep shorewall shorewall-common-4.2.10-1.fc10.1.noarch shorewall-shell-4.2.10-1.fc10.1.noarch shorewall-perl-4.2.10.3-1.fc10.1.noarch shorewall-4.2.10-1.fc10.1.noarch Shorewall appears to have Time Matching available # shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Extended Connection Tracking Match Support: Available Old Connection Tracking Match Syntax: Not available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Realm Match: Available Helper Match: Available Connlimit Match: Available Time Match: Available Goto Support: Available Starting Shorewall # shorewall debug start <snip> + qt /sbin/iptables -A fooX24622 -m time --timestart 23:00 -j DROP + /sbin/iptables -A fooX24622 -m time --timestart 23:00 -j DROP + TIME_MATCH=Yes <snip> Manually creating a test 'Time Matching' rule # iptables -A INPUT -s 200.200.200.1 -j DROP -m time --timestart 14:00 --timestop 16:00 # iptables -L | grep 200.200 DROP all -- 200.200.200.1 anywhere TIME from 14:00:00 to 16:00:00 Configuring Shorewall According to the man page the Time column is the 12th column in the rules file, so I have this test entry: DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05,timestop=22:15 but after restarting shorewall # shorewall debug start <snip> ++ expand DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00 ++ eval echo '"DROP' loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - 'utc,timestart=22:05:00,timestop=22:15:00"' +++ echo 'DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00' + echo DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00 <snip> and # iptables -L <snip> DROP tcp -- 192.168.0.14 84.53.134.200 tcp dpt:http <snip> So no time match clause ! ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
