Shorewall users - Mar 2013 - Beginner question about inbound or outbound only rules in Shorewall

Hi

I''m just getting started doing my own firewall and using Shorewall.

When I look at examples in "raw" iptables code I can see how to do
inbound-only and outbound-only rules.

I''d use

    iptables -i eth0 ...

or

    iptables -o eth0 ...

How do you do the same thing in Shorewall?

I''m not sure just looking at the columns in the "rules" file

    #ACTION SOURCE DEST PROTO DEST SOURCE  ORIGINAL RATE  USER/ MARK
    CONNLIMIT TIME HEADERS SWITCH HELPER
    #                         PORT PORT(S) DEST     LIMIT GROUP

So for example if I want to block ONLY outbound traffic with DEST PORT 10, and
SOURCE PORT = 20 crossing eth0 but allow inbound
what''s the format for the rule?

Sorry if I''m missing something obvious. :-/

Aaron

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

On 03/21/2013 07:25 AM, aaron219@50mail.com wrote:
> Hi
> 
> I''m just getting started doing my own firewall and using
Shorewall.
> 
> When I look at examples in "raw" iptables code I can see how to
do
> inbound-only and outbound-only rules.
> 
> I''d use
> 
>     iptables -i eth0 ...
> 
> or
> 
>     iptables -o eth0 ...
> 
> How do you do the same thing in Shorewall?
> 
> I''m not sure just looking at the columns in the "rules"
file
> 
>     #ACTION SOURCE DEST PROTO DEST SOURCE  ORIGINAL RATE  USER/ MARK
>     CONNLIMIT TIME HEADERS SWITCH HELPER
>     #                         PORT PORT(S) DEST     LIMIT GROUP
> 
> So for example if I want to block ONLY outbound traffic with DEST PORT >
10, and SOURCE PORT = 20 crossing eth0 but allow inbound
> what''s the format for the rule?
> 
> Sorry if I''m missing something obvious. :-/

I suggest that you go to http://www.shorewall.net/GettingStarted.html
and select the QuickStart Guide that fits your requirements.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

Hi Tom
> I suggest that you go to http://www.shorewall.net/GettingStarted.html
> and select the QuickStart Guide that fits your requirements.
I''ve been starting with the http://www.shorewall.net/two-interface.htm
guide already.  I''m reading it and its kinda tough to follow but
I''m
working on it.

I have a pretty specific question that I''m confused about that I
didn''t
find or didn''t understand an answer to in there.  I was told that this
is the right list to get some help on for beginners.

Like I said I must be missing it.   It sounds like you''re sure the
answer is in there.  Could you maybe actually point to the answer to my
question specifically ?

Thanks a lot for your help.

Aaron

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

On 03/21/2013 08:06 AM, aaron219@50mail.com wrote:
> Hi Tom
> 
>> I suggest that you go to http://www.shorewall.net/GettingStarted.html
>> and select the QuickStart Guide that fits your requirements.
> 
> I''ve been starting with the
http://www.shorewall.net/two-interface.htm
> guide already.  I''m reading it and its kinda tough to follow but
I''m
> working on it.
> 
> I have a pretty specific question that I''m confused about that I
didn''t
> find or didn''t understand an answer to in there.  I was told that
this
> is the right list to get some help on for beginners.
> 
> Like I said I must be missing it.   It sounds like you''re sure the
> answer is in there.  Could you maybe actually point to the answer to my
> question specifically ?
> 
When you say ''outbound'', I assume that you mean traffic
destined for the
internet? And you want to block both UDP and TCP? If so:


#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE
#				PORT(S)	PORT(S)
REJECT	all	net	udp,tcp	10	20

Where your interfaces file has:

FORMAT 2
#ZONE	INTERFACE	OPTIONS
net	eth0		...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

aaron219@50mail.com wrote:
>When I look at examples in "raw" iptables code I can see how to do
>inbound-only and outbound-only rules.
>
>I''d use
>
>    iptables -i eth0 ...
>
>or
>
>    iptables -o eth0 ...
>
>How do you do the same thing in Shorewall?

In general you don''t.
In shorewall, you normally specify rules in terms of zones (as is normal on most
firewalls). So you map interface(s) to zones, and then use zones in your rules -
and there may be more than one interface in a zone.

So for example, you would write a rule :
HTTP/ACCEPT net dmz:$webserver
to allow HTTP traffic inbound to a webserver in the DMZ. Shorewall will take
care of mapping zones to interfaces in iptables rules.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar