[Shorewall-users] ipsets + Mutli ISP

[Harry L. <gr...@fr...>]

Hi all
I am trying to get ipsets to work

how ever I seem to come across a problem I don't quite understand ..

I wan't friend nets ( white zone )  to be able to log into the firewall

I am using ipsets for this ..

I went through to ipsets shorewall howto  page

But I does'nt seem to work propely ...
I' ve tried both
wild card on interfaces

-   eth0   .....
-   eth1   .....

and in hosts

net   eth0:0.0.0.0/0
net   eth0:0.0.0.0/0

and without wild cards

Interfaces
net   eth0    ....
net   eth1   ....

Common in both cases was the
zones file
white   ipv4

hosts
white   eth0:+whitehosts,+whitenets
white   eth1:+whitehosts,+whitenets


shorewall dump shows that the eth0_in chain
the white2fw rule gets inserted bellow the net2fw

My policy rule is
net   fw   drop

-----------------------------------------------------------------------------------------------------------------------------------------------------------
  43  3972 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0           state INVALID,NEW
   43  3972 smurfs     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           state INVALID,NEW
   19   912 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
  133 11532 net2fw     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 white2fw   all  --  *      *       0.0.0.0/0            
0.0.0.0/0           set whitehosts src
    0     0 white2fw   all  --  *      *       0.0.0.0/0            
0.0.0.0/0           set whitenets sr

----------------------------------------------------------------------------------------------------------------------------------------------------------
I manually did
a
iptables -I  eth0_in -m  set --set whitehosts src -j white2fw
iptables -I eth0_in -m   set  --set whitehosts src -j white2fw
that is inserting on top of the chain ..... and it all worked :-\ ........


I include my shorewall.dump file

Thanks in Advance

Harry.