Hi, I am a novice regarding firewalling in general and Shorewall in particular... so : I would like to use shorewall on a laptop. A have read the doc, but I can''t figure out how to handle the fact the I am alternatively connected via Wifi ( --> eth1 on my machine) or cable ( --> eth0). Of course IP address is assigned by dhcp in both cases. In any case I would like that : 1) the firewall starts even if one of the interface in down (this will always be the case !) 2) the same set of rules apply to either eth0 or eth1, whichever is up : this will always be my internet zone 3) Not have to change my setup depending on the way I am connected (I might switch to wifi to go to another office, then switch back to cable some time latter and so on) I also have a tun0 (openvpn) interface, but this is another matter... So, can this kind of setup be handled by iptables in general, Shorewall in particular ? Thanks in advance, Franck ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Franck Routier wrote:> Hi, > > I am a novice regarding firewalling in general and Shorewall in > particular... so : > > I would like to use shorewall on a laptop. > A have read the doc, but I can''t figure out how to handle the fact the I > am alternatively connected via Wifi ( --> eth1 on my machine) or cable > ( --> eth0). Of course IP address is assigned by dhcp in both cases. > > In any case I would like that : > > 1) the firewall starts even if one of the interface in down (this will > always be the case !) > > 2) the same set of rules apply to either eth0 or eth1, whichever is up : > this will always be my internet zone > > 3) Not have to change my setup depending on the way I am connected (I > might switch to wifi to go to another office, then switch back to cable > some time latter and so on) > > I also have a tun0 (openvpn) interface, but this is another matter... > > So, can this kind of setup be handled by iptables in general, Shorewall > in particular ?Yes. Attached, please find the files that I use (also supports OpenVPN client -- both bridged and routed). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Great ! Thanks a lot Tom. I will try this setup and have an attempt to understand how it's done. I might come back here to find some enlightenment on what it means, if needed :) Thanks again. Franck Le mardi 06 novembre 2007 à 08:41 -0800, Tom Eastep a écrit :> Franck Routier wrote: > > Hi, > > > > I am a novice regarding firewalling in general and Shorewall in > > particular... so : > > > > I would like to use shorewall on a laptop. > > A have read the doc, but I can't figure out how to handle the fact the I > > am alternatively connected via Wifi ( --> eth1 on my machine) or cable > > ( --> eth0). Of course IP address is assigned by dhcp in both cases. > > > > In any case I would like that : > > > > 1) the firewall starts even if one of the interface in down (this will > > always be the case !) > > > > 2) the same set of rules apply to either eth0 or eth1, whichever is up : > > this will always be my internet zone > > > > 3) Not have to change my setup depending on the way I am connected (I > > might switch to wifi to go to another office, then switch back to cable > > some time latter and so on) > > > > I also have a tun0 (openvpn) interface, but this is another matter... > > > > So, can this kind of setup be handled by iptables in general, Shorewall > > in particular ? > > Yes. Attached, please find the files that I use (also supports OpenVPN > client -- both bridged and routed). > > -Tom > pièce jointe document plein texte (blacklist) > # > # Shorewall version 3.2 - Blacklist File > # > # /etc/shorewall/blacklist > # > # Please see http://shorewall.net/blacklisting_support.htm for additional > # information. > # > ############################################################################### > #ADDRESS/SUBNET PROTOCOL PORT > - udp 1024:1033,1434 > - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > pièce jointe document plein texte (interfaces) > #ZONE INTERFACE BROADCAST OPTIONS GATEWAY > # > net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore > net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional > lan $TAP detect > lan tun0 detect maclist,optional > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > pièce jointe document plein texte (params) > VAR=WLAN > WLAN=wlan0 > TAP=tap0 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > pièce jointe document plein texte (policy) > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > net net NONE > lan lan NONE > fw net ACCEPT > fw lan ACCEPT > lan fw ACCEPT > net lan NONE > lan net NONE > net all DROP info > # The FOLLOWING POLICY MUST BE LAST > all all REJECT info > #LAST LINE -- DO NOT REMOVE > pièce jointe document plein texte (routestopped) > ############################################################################## > #INTERFACE HOST(S) OPTIONS > wlan0 192.168.0.0/22 critical > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > pièce jointe document plein texte (rules) > #################################################################################################### > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > # PORT PORT(S) DEST LIMIT GROUP > ACCEPT net fw icmp 8 > ACCEPT net fw tcp 22 > allowBcast net fw all > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > pièce jointe document plein texte (shorewall.conf) > STARTUP_ENABLED=Yes > DYNAMIC_ZONES=No > FASTACCEPT=Yes > VERBOSITY=0 > LOGFILE=/var/log/messages > LOGFORMAT="fp=%s:%d a=%s " > LOGTAGONLY=No > LOGRATE> LOGBURST> LOGALLNEW> BLACKLIST_LOGLEVEL> MACLIST_LOG_LEVEL=info > TCP_FLAGS_LOG_LEVEL=ULOG > RFC1918_LOG_LEVEL=info > SMURF_LOG_LEVEL=info > LOG_MARTIANS> IPTABLES> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > SHOREWALL_SHELL=/bin/dash > SUBSYSLOCK> MODULESDIR> CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall > RESTOREFILE> IPSECFILE=zones > LOCKFILE=/var/lock/shorewall > IP_FORWARDING=On > ADD_IP_ALIASES=Yes > ADD_SNAT_ALIASES=No > RETAIN_ALIASES=Yes > TC_ENABLED=No > CLEAR_TC=Yes > MARK_IN_FORWARD_CHAIN=No > CLAMPMSS=No > ROUTE_FILTER> DETECT_DNAT_IPADDRS=No > MUTEX_TIMEOUT=60 > ADMINISABSENTMINDED=Yes > BLACKLISTNEWONLY=Yes > DELAYBLACKLISTLOAD=No > MODULE_SUFFIX> DISABLE_IPV6=Yes > BRIDGING=No > PKTTYPE=No > RFC1918_STRICT=No > MACLIST_TTL> SAVE_IPSETS=No > EXPORTPARAMS=No > BLACKLIST_DISPOSITION=DROP > MACLIST_DISPOSITION=REJECT > TCP_FLAGS_DISPOSITION=DROP > SHOREWALL_COMPILER=perl > pièce jointe document plein texte (tunnels) > # TYPE ZONE GATEWAY GATEWAY > # ZONE > # > openvpnclient:1194 net 192.168.3.254 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > pièce jointe document plein texte (zones) > #ZONE IPSEC OPTIONS IN OUT > # ONLY OPTIONS OPTIONS > fw firewall > lan ipv4 > net ipv4 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Franck Routier Axège Sarl - 23, rue Saint-Simon, 63000 Clermont-Ferrand (FR) Tél : +33 463 059 540 mèl : franck.routier@axege.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Franck Routier wrote:> Great ! Thanks a lot Tom. > > I will try this setup and have an attempt to understand how it''s done. > I might come back here to find some enlightenment on what it means, if > needed :) >Some suggested reading: http://www.shorewall.net/Introduction.html http://www.shorewall.net/standalone.htm http://www.shorewall.net/configuration_file_basics.htm http://www.shorewall.net/Manpages.html http://www.shorewall.net/OPENVPN.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hi, First of all, I must say thanks again. Tom's setup work great for me :) However, I'm coming back with a few questions... 1) what means routestopped ? I see in Tom's config file a statements saying : wlan0 192.168.0.0/22 critical Why this ? Why on wlan0 and not on eth0 ? Why critical ? Reading the doc did not give me enougth clues... 2) In interfaces, there in an option for eth0 and wlan0 (eth1 for me) saying : optional This keyword does not seem to be recognized by my version of Shorewall (3.4.4 on Ubuntu Gusty). It is also not documented in my man page. But it does not really hurt, as Shorewall seems to start anyway ... ?! What is it ? 3) In the same file, if I add the maclist option to the tun0 interface, shorewall won't start, has it seem to demand tun0 is up before it starts to use this option. But my tun0 interface is not always up (when I'm on the train or in office for example) So I commented it out, but I liked the idea to restrict vpn to my server mac address... Is there another way ? 4) in rules, what is allowBcast ? I have no such action or macro... What am I missing ? 5) Also I don't have the shorewall-perl package installed, so I let compile=shell. Does it matter ? Also the default setup in Ubuntu uses bash, not dash in shorewall.conf. Should I switch to dash ? What is the deal ? Thanks in advance, Franck Le mardi 06 novembre 2007 à 09:43 -0800, Tom Eastep a écrit :> Franck Routier wrote: > > Great ! Thanks a lot Tom. > > > > I will try this setup and have an attempt to understand how it's done. > > I might come back here to find some enlightenment on what it means, if > > needed :) > > > > Some suggested reading: > > http://www.shorewall.net/Introduction.html > http://www.shorewall.net/standalone.htm > http://www.shorewall.net/configuration_file_basics.htm > http://www.shorewall.net/Manpages.html > http://www.shorewall.net/OPENVPN.html > > -Tom > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Franck Routier Axège Sarl - 23, rue Saint-Simon, 63000 Clermont-Ferrand (FR) Tél : +33 463 059 540 mèl : franck.routier@axege.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Franck Routier wrote:> Hi, > > First of all, I must say thanks again. Tom''s setup work great for me :) > > However, I''m coming back with a few questions... > > 1) what means routestopped ?man shorewall-routestopped I see in Tom''s config file a statements> saying : > wlan0 192.168.0.0/22 critical > > Why this ? Why on wlan0 and not on eth0 ? Why critical ? > Reading the doc did not give me enougth clues...I am the Shorewall developer. I often put things in my configuration files to test while trying to solve user issues. This is one of those things. Ignore it.> > 2) In interfaces, there in an option for eth0 and wlan0 (eth1 for me) > saying : optional > > This keyword does not seem to be recognized by my version of Shorewall > (3.4.4 on Ubuntu Gusty). > It is also not documented in my man page. > But it does not really hurt, as Shorewall seems to start anyway ... ?! > What is it ?Please see http://www.shorewall.net/manpages/shorewall-interfaces.html (the 4.0 man page).> > 3) In the same file, if I add the maclist option to the tun0 interface, > shorewall won''t start, has it seem to demand tun0 is up before it starts > to use this option. > But my tun0 interface is not always up (when I''m on the train or in > office for example) > > So I commented it out, but I liked the idea to restrict vpn to my server > mac address... Is there another way ?No.> > 4) in rules, what is allowBcast ? I have no such action or macro... What > am I missing ?It is a builtin macro that allows broadcasts and multicasts.> > 5) Also I don''t have the shorewall-perl package installed, so I let > compile=shell. Does it matter ?On Shorewall 3.x, there is no Shorewall-perl. So it will only matter when you upgrade to 4.0.> Also the default setup in Ubuntu uses bash, not dash in shorewall.conf. > Should I switch to dash ? What is the deal ?The dash shell is much faster than bash. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> >> 4) in rules, what is allowBcast ? I have no such action or macro... What >> am I missing ? > > It is a builtin macro that allows broadcasts and multicasts.Correction: It is a built-in _action_. See the output of "shorewall show actions". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/