[Shorewall-users] Multiple ipsets

Discussion:

Dik ....

2016-12-12 11:59:29 UTC

shorewall version 4.5.5.3

I am trying to use some ipsets to protect a specific service. When using a single ipset containing my own ip it works as expected with following in /etc/shorewall/rules :

DNAT net:!+myip dmz:10.0.0.101 tcp 443 - xxx.xxx.xxx.xxx

The documentation says that I can add multiple ipsets with !+[...]. When I create a second ipset and add it as described I am no longer prevented from accessing the service from my own ip :

DNAT net:!+[ipset,myip] dmz:10.0.0.101 tcp 443 - xxx.xxx.xxx.xxx

I presume that this means that neither ipset is working.

Please advise.

Tom Eastep

2016-12-12 16:55:31 UTC

Permalink

On 12/12/2016 03:59 AM, Dik .... wrote:
> shorewall version 4.5.5.3
>
> I am trying to use some ipsets to protect a specific service. When
> using a single ipset containing my own ip it works as expected with
> following in /etc/shorewall/rules :
>
> DNAT net:!+myip dmz:10.0.0.101 tcp 443 -
> xxx.xxx.xxx.xxx
>
> The documentation says that I can add multiple ipsets with !+[...].
> When I create a second ipset and add it as described I am no longer
> prevented from accessing the service from my own ip :
>
> DNAT net:!+[ipset,myip] dmz:10.0.0.101 tcp 443
> - xxx.xxx.xxx.xxx
>
> I presume that this means that neither ipset is working.
>

What you have above excludes only source addresses that are in *BOTH*
ipsets. You wanted this instead:

DNAT net:!+ipset,+myip dmz:...

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Dik ....

2016-12-12 18:02:48 UTC

Permalink

Thank you

________________________________
From: Tom Eastep <***@shorewall.net>
Sent: 12 December 2016 16:55:31
To: shorewall-***@lists.sourceforge.net
Subject: Re: [Shorewall-users] Multiple ipsets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/12/2016 03:59 AM, Dik .... wrote:
> shorewall version 4.5.5.3
>
> I am trying to use some ipsets to protect a specific service. When
> using a single ipset containing my own ip it works as expected with
> following in /etc/shorewall/rules :
>
> DNAT net:!+myip dmz:10.0.0.101 tcp 443 -
> xxx.xxx.xxx.xxx
>
> The documentation says that I can add multiple ipsets with !+[...].
> When I create a second ipset and add it as described I am no longer
> prevented from accessing the service from my own ip :
>
> DNAT net:!+[ipset,myip] dmz:10.0.0.101 tcp 443
> - xxx.xxx.xxx.xxx
>
> I presume that this means that neither ipset is working.
>

What you have above excludes only source addresses that are in *BOTH*
ipsets. You wanted this instead:

DNAT net:!+ipset,+myip dmz:...

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Continue reading on narkive:

Search results for '[Shorewall-users] Multiple ipsets' (Questions and Answers)

replies

Am i in the wrong for being upset about him watching porn?

started 2015-01-09 04:52:23 UTC

singles & dating