On 2/6/19 12:50 PM, Brent Gordon wrote: > A better way to ask my initial question is: > What is the best way to block all incoming traffic, even to open ports, > while allowing traffic from a limited range of addresses access to a > single port? > > For example, say that I have port 22 open for ssh access. With the > default rule, if 92.63.194.18 tries to access any port other than 22 he > will be dropped. However, he can still connect to port 22. By using > dynamic blacklisting (for example, shorewall logdrop 92.0.0.0/8), he > will be silently dropped even when he tries to connect to port 22. > There are only four blocks of IP addresses I need to allow, but they end > up being a lot of logdrop entries. For example, to allow my first group > of 70.56.0.0/14 I need six separate logdrop commands just to block all > of the addresses before that range (0.0.0.0 - 70.55.255.255). I need > eight more commands to block from the end of the first group to the > start of the second group. >
With the net->$FW policy of DROP, then simply add this rule:
ssh(ACCEPT) net:$BLOCK1,$BLOCK2,$BLOCK3.$BLOCK4 $FW
Where:
$BLOCK1=i.j.k.l/nn
$BLOCK2=a.b.c.d/mm
...
are the blocks that you want to accept.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
