/ 2004-08-27 18:20:17 +0200 \ Raphael Leplae:
Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
either you mean 123.123.123.* ... then it is simply FW_REJECT_IP=123.123.123.0/24
Ooops, yes I meant 123.123.123.* I tested the FW_REJECT_IP key but doesn't seems having effect...
My problem is that I want to block the following: 212.27.41.* These IPs are matching a "web robot" for a web search engine that doesn't recognise the robots.txt rules on my web server since they processes my cgi scripts despite my 'Disallow:/cgi-bin/' rule and cripple my server. Other "robots" behave ok. So the best is to stop them using the firewall. So I added in /etc/sysconfig/SuSEfirewall2 the line: FW_REJECT_IP=212.27.41.0/24
I restarted the suse firewall: /etc/init.d/SuSEfirewall2_final restart
But the access is not blocked, the web server keeps being hammered by these 212.27.41.* :-(
If the FW_REJECT_IP keyword is not recognised by SuseFirewall2, would an iptable line be recognised? It seems more complicated than I though...
well, it "officially" can only do what is documented in /etc/sysconfig/SuSEfirewall2 I did not look there for a longer time, so I thought that would have been added meanwhile. but you obviously only made up a new variable the script does not know about... /sbin/SuSEfirewall2 is "just" a shell script. it does only know about some variables. if you define others, then they are just variables, but are not interpreted in any way. unless you add that functionality there... (put something like this right after the section for "Trusted Network handling", before the section titled "IP Stuff" for NET in $FW_REJECT_IP ; do # networks can be on any interface ... for CHAIN in input_ext input_dmz input_int; do $IPTABLES -A $CHAIN -j "$REJECT" -s $NET # hm. or rather $DROP ?? done done ) if you don't like or are too confused by the SuSEfirewall2 system, there are plenty of other iptables "firewall" scripts out there, some include guis, some invent a new "meta language"... some may be "better" or "worse" in this way or an other. if you want to go with sfw2, and you want your definitions to be persistent, there are various "custom" hooks (see 25., e.g. in FW_CUSTOM=/etc/sysconfig/scripts/SuSEfirewall2-custom) and of course, you can always add/delete rules at runtime by using iptables by hand. lge