-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Tom
Am 15.10.2015 um 20:28 schrieb Tom Eastep:
> On 10/15/2015 9:40 AM, Erich Titl wrote:
...
>
> You are correct -- zones can't be used there. Only IP addresses,
> DNS names or 'all'.
I am reluctant to use all as a source and/or destination. So the
current code is
shorewall save > /dev/null 2>&1
iptables -I fw-net -p tcp -m multiport \
--dports http,https -j ACCEPT >
/dev/null 2>&1 && \
log "web access is allowed"
I doubt it would be better to use the dynamic chain, as the source and
destination zones would be hidden.
shorewall save > /dev/null 2>&1
iptables -I dynamic -p tcp -m multiport \
--dports http,https -j ACCEPT > /dev/null 2>&1
&& \
log "web access is allowed"
I prefer to be able to define the direction of the connection and this
appears to work right now only by using a chain which inherently
reflects the source and destination zones. Would you have another aproac
h?
Thanks
Erich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iEYEARECAAYFAlYgJJoACgkQt9T/nQW4ChYfYQCZAVGxyiQA0h+CgIwQG+ryNfZP
97wAn0jBqaxHgnxzkWZg0p/Q+Wk+pA4t
=gyir
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
