[prev in list] [next in list] [prev in thread] [next in thread]
List: leaf-user
Subject: Re: [leaf-user] shorewall challenge
From: Trev Peterson <trev () advanced-reality ! com>
Date: 2013-07-30 22:14:25
Message-ID: 1375222465.21045.19.camel () aegir
[Download RAW message or body]
That should work assuming:
1. The target server is in that range.
2. Your internal PC is always initiating the connection (likely the
case).
3. You all established connections from net to local (that is the
default).
I'd just try it out and see if the app runs OK. It likely will work.
Best of luck,
On Tue, 2013-07-30 at 20:49 +0200, Boris wrote:
> Thanks Trev and everybody else answering my question on this topic!
>
> So, I was quite right with my idea not to work with a wildcard!
>
> As far as I could manage to grab the DNS for a zone list, it seems, the
> provider owns a whole /24 net.
> Now if I only want to make it work (without getting the whole hostlist
> and with disclaiming the best paractice) is it possible to use the rule like
>
> ACCEPT loc:192.168.20.1 net:233.122.78.0/24 tcp 80,99
>
> ???
>
> Thanks,
>
>
> Boris
>
> Am 29.07.2013 23:35, schrieb Trev Peterson:
> > To be perfectly honest you probably don't want to put a rule like that
> > in any firewall anyway. The only way to allow it to do something like
> > that is to pull a DNS zone transfer to get the list of all hosts in that
> > domain and then build the ip rules from there. Firewalls are ignorant
> > of DNS in general so all DNS names are translated to IP to apply the
> > rule. Most DNS servers will not allow just anyone to pull a DNS zone
> > transfer so this would fail most of the time.
> >
> > This is not a permanent solution but might help you right away. You
> > could figure out what ip or hostname the software is connecting to for
> > this software to work (protocol decode or check shorewall logs to see
> > what is being blocked from this machine). Then after that add the rule
> > bu IP or reverse DNS or do an the IP to get the hostname (might work
> > might not).
> >
> > Best of luck,
> >
> > On Mon, 2013-07-29 at 18:17 +0200, Boris wrote:
> >> Hej all,
> >>
> >>
> >> I'm looking for help in a shorewall rule thing:
> >>
> >> There's a local software on 192.168.20.1 communicating on some ports
> >> with several hosts in the net, so the rules sound like
> >>
> >> ACCEPT loc:192.168.20.1 net:host1.theirdom.de 80,443
> >> ACCEPT loc:192.168.20.1 net:host2.theirdom.de 80,999
> >>
> >> host1 is resolved to a different IP than host2.
> >>
> >> Because the communication still doesn't work, I was asking (at least
> >> three times) for the complete set of communications that have to be
> >> accepted and got new rules every time.
> >> Now, that it's beginning to hurt, they tell me I should accept traffic
> >> to all hosts *.theirdom.de. In fact, theirdom.de cannot be resolved.
> >>
> >> So, what to do? Is it possible to work with a wildcard? The longer I
> >> think about, it seems to be nonsense....
> >>
> >> !!??
> >>
> >> Regards,
> >>
> >> Boris
> >>
> >> ------------------------------------------------------------------------------
> >> Get your SQL database under version control now!
> >> Version control is standard for application code, but databases havent
> >> caught up. So what steps can you take to put your SQL databases under
> >> version control? Why should you start doing it? Read more to find out.
> >> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> >> ------------------------------------------------------------------------
> >> leaf-user mailing list: leaf-user@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/leaf-user
> >> Support Request -- http://leaf-project.org/
> >
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> ------------------------------------------------------------------------
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
--
Trev Peterson
Advanced Reality
Email: trev@advanced-reality.com
Phone: +1 847 406 9018
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic