[Fwbuilder-discussion] Deny all from "big" network, while not from "small" network within
Brought to you by:
mikehorn
From: Mike W. <mik...@co...> - 2007-11-07 12:36:39
|
Hi, You'll have to excuse the rather obtuse subject line, my problem isn't easily describe so briefly! I'm trying to work around a limitation of the Kame IPSEC stack in Linux 2.6 (it doesn't have ipsecX virtual interfaces, and KLIPS isn't supported by my vendor). What I'm trying to achieve is allowing traffic from the internal networks (various subnets of 192.168.xxx.xxx) in over the firewalls external interface, while dropping traffic from all the other possible 192.168.0.0/16 addresses. However, what I don't want is to actually *allow* those internal networks yet, network to network stuff is allowed and denied later on. If only I had virtual interfaces, it'd be a simple ALLOW this, that, and the other, coming in ipsecX, while DENYing 192.168.0.0/16 in eth0. What I guess I really want is a chain that would RETURN for various 192.168.xxx.xxx addresses/networks then DENY for 192.168.0.0/16, then RETURN for everything else. Is this at all practical? Thanks -- Mike Williams |