Hola a todos disculpen si escribo en español. Pero tengo un detalle todo al parecer funciona bien, mi bridge corre bien, el shorewall no meda ningun error. Pero mis reglas según activan ciertos puertos pero el firewall (shorewall) no bloquea el trafico, el echo es que puedo bajar archivos bitorrent, escuchar musica por internet y enviar archivos por messenger ! Me podrian dar una ayudadita se los agradecere ! Mi instalación: Centos4.3 + Bridge + Shorewall: eth0 + eth1= Bridge (vdpf0) VDPF0=192.168.64.253 Internet---RouterCisco---VDPF0---LAN En la LAN tengo tres segmentos de red. He provado las politicas una a una y bueno cuando quito una lo que ocasiono es que algun segmento ya no tenga comunicacion con otros segmentos o hacia internet. Ahora lo que me pasa es que mis reglas estan como tal hay pero no surten efecto, ya que sigo conectandome a estaciones de musica, puedo enviar archivos atravez del msn, puedo entrar a canales de TV vía la web. Realmente no se que estoy haciendo mal...! Mil gracias...! archivos de configuracion ########## zones ########## fw firewall net ipv4 loc ipv4 loc1 ipv4 loc2 ipv4 ########## Hosts ########## net vdpf0:eth0 loc vdpf0:eth1:192.168.64.0/24 routeback,tcpflags loc1 vdpf0:eth1:192.168.65.0/24 routeback,tcpflags loc2 vdpf0:eth1:192.168.66.0/24 routeback,tcpflags ########## Interfaces ######### - vdpf0 detect ########## politicas ########### loc net ACCEPT net loc ACCEPT loc1 net ACCEPT net loc1 ACCEPT loc2 net ACCEPT net loc2 ACCEPT #################### POLITICAS VISTAS ENTRE SEGMENTOS ##################### loc loc1 ACCEPT loc1 loc ACCEPT loc loc2 ACCEPT loc2 loc ACCEPT loc1 loc2 ACCEPT loc2 loc1 ACCEPT loc fw ACCEPT fw loc ACCEPT loc1 fw ACCEPT fw loc1 ACCEPT loc2 fw ACCEPT fw loc2 ACCEPT fw net ACCEPT net all DROP info all all REJECT info ########### Reglas ############ ACCEPT loc net tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc net udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc1 net tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc1 net udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc2 net tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc2 net udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT net loc tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT net loc udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT net loc1 tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT net loc1 udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT net loc2 tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT net loc2 udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 #################### POLITICAS VISTAS ENTRE SEGMENTOS ##################### ACCEPT loc loc1 tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc loc1 udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc1 loc tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc1 loc udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc loc2 tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc loc2 udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc2 loc tcp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,135 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 ACCEPT loc2 loc udp 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024,5 3 ACCEPT loc1 loc2 tcp ACCEPT loc1 loc2 udp ACCEPT loc2 loc1 tcp ACCEPT loc2 loc1 udp ######## RouteStopped ########### vdpf0 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
German Jimenez Leal wrote:> Hola a todos disculpen si escribo en español. Pero tengo un detalle > todo al parecer funciona bien, mi bridge corre bien, el shorewall no > meda ningun error.This is an English Language list but hopefully one of our Spanish speaking subscribers can help you off-list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> German Jimenez Leal wrote: >> Hola a todos disculpen si escribo en español. Pero tengo un detalle >> todo al parecer funciona bien, mi bridge corre bien, el shorewall no >> meda ningun error. > > This is an English Language list but hopefully one of our Spanish > speaking subscribers can help you off-list.That having been said, it looks to me like what German is trying to do is ill-conceived. The Shorewall box is acting as a bridge yet it looks like German expects it to act like a router between the three loc zones. I suspect that this thing doesn''t even work after a "shorewall clear". Or if it does, it is because the router connected to eth0 is routing between the three sub-networks; if that is the case, then inserting a bridge between that router and the local networks is inappropriate. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wednesday 05 July 2006 10:53 pm, German Jimenez Leal wrote: Real mente tu unico problema es que en las politicas tienes loc net accept net loc accept quitale esas reglas para tu firewall solo deje pasar lo que tienes en las reglas y de esa forma limitar todo> Hola a todos disculpen si escribo en español. Pero tengo un detalle todo > al parecer funciona bien, mi bridge corre bien, el shorewall no meda ningun > error. > Pero mis reglas según activan ciertos puertos pero el firewall (shorewall) > no bloquea el trafico, el echo es que puedo bajar archivos bitorrent, > escuchar musica por internet y enviar archivos por messenger ! > Me podrian dar una ayudadita se los agradecere ! > > Mi instalación: Centos4.3 + Bridge + Shorewall: > eth0 + eth1= Bridge (vdpf0) > VDPF0=192.168.64.253 > Internet---RouterCisco---VDPF0---LAN > En la LAN tengo tres segmentos de red. > > He provado las politicas una a una y bueno cuando quito una lo que ocasiono > es que algun segmento ya no tenga comunicacion con otros segmentos o hacia > internet. Ahora lo que me pasa es que mis reglas estan como tal hay pero no > surten efecto, ya que sigo conectandome a estaciones de musica, puedo > enviar archivos atravez del msn, puedo entrar a canales de TV vía la web. > Realmente no se que estoy haciendo mal...! > Mil gracias...! > > archivos de configuracion > ########## zones ########## > fw firewall > net ipv4 > loc ipv4 > loc1 ipv4 > loc2 ipv4 > ########## Hosts ########## > net vdpf0:eth0 > loc vdpf0:eth1:192.168.64.0/24 routeback,tcpflags > loc1 vdpf0:eth1:192.168.65.0/24 routeback,tcpflags > loc2 vdpf0:eth1:192.168.66.0/24 routeback,tcpflags > ########## Interfaces ######### > - vdpf0 detect > ########## politicas ########### > loc net ACCEPT > net loc ACCEPT > loc1 net ACCEPT > net loc1 ACCEPT > loc2 net ACCEPT > net loc2 ACCEPT > #################### POLITICAS VISTAS ENTRE SEGMENTOS ##################### > loc loc1 ACCEPT > loc1 loc ACCEPT > loc loc2 ACCEPT > loc2 loc ACCEPT > loc1 loc2 ACCEPT > loc2 loc1 ACCEPT > loc fw ACCEPT > fw loc ACCEPT > loc1 fw ACCEPT > fw loc1 ACCEPT > loc2 fw ACCEPT > fw loc2 ACCEPT > fw net ACCEPT > net all DROP info > all all REJECT info > > ########### Reglas ############ > ACCEPT loc net tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc net udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc1 net tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc1 net udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc2 net tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc2 net udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT net loc tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT net loc udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT net loc1 tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT net loc1 udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT net loc2 tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT net loc2 udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > #################### POLITICAS VISTAS ENTRE SEGMENTOS ##################### > ACCEPT loc loc1 tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc loc1 udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc1 loc tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc1 loc udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc loc2 tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc loc2 udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc2 loc tcp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,1863,515,631,9100,9102,13 >5 ,139,445,ftp,smtp,pop3,imap,53,https,8080,80,22 > ACCEPT loc2 loc udp > 1366,1677,2301,2544,3016,3017,3018,3024,3396,7628,135,445,137,138,139,1024, >5 3 > ACCEPT loc1 loc2 tcp > ACCEPT loc1 loc2 udp > ACCEPT loc2 loc1 tcp > ACCEPT loc2 loc1 udp > > ######## RouteStopped ########### > vdpf0 --- Fernando Rodriguez AITelecom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV