Shorewall users - Feb 2005 - One Interface Setup

Hello....I have a specific Requirement on a One Interface Setup...Help me guys

1.Allow ssh,dns and web request to the firewall.....Input Chain

ACCEPT    net    fw    tcp    22
ACCEPT    net    fw    udp    53
ACCEPT    net    fw    tcp    80

Are the above rules correct.

2. Allow 6 Pool of Ip''s to be forwarded thru this firewall....This
Machine Stands as a gateway for 6 machines....(Only One Interface)

How Do i Do this......

ACCEPT    net:192.168.0.1/24    fw   
ACCEPT    net:192.168.1.1/24    fw    
ACCEPT    net:192.168.2.1/24    fw    
ACCEPT    net:192.168.3.1/24    fw    
ACCEPT    net:192.168.4.1/24    fw    
ACCEPT    net:192.168.5.1/24    fw    

Are the above rules correct (or) Any Other Method

3. Redirect all the port 80 traffic of the above 6 pools shud be redirected to
the local machine running squid (port 3128)

Help
Admin

> Hello....I have a specific Requirement on a One Interface Setup...Help me
guys
Does the below mentioned ''net'' zone refer to the Internet?
Then you
definitely want a second NIC.  (What good is a (fire)wall, if the wall
isn''t *between* two zones?)

After that, please see the QuickStart Guides, who will lead you through
the necessary steps to set up your firewall:

  http://shorewall.net/shorewall_quickstart_guide.htm

> 1.Allow ssh,dns and web request to the firewall.....Input Chain
> 
> ACCEPT    net    fw    tcp    22
> ACCEPT    net    fw    udp    53
> ACCEPT    net    fw    tcp    80
> 
> Are the above rules correct.
Looks good, although we can''t really tell unless we do know more about
your network.

FWIW: As this is a DNS Server, you likely will need tcp/53 as well. If
that server will resolve unknown hosts recursively, you will need to
open the DNS port the other way around, too. See:

  http://shorewall.net/ports.htm#id2483067

> 2. Allow 6 Pool of Ip''s to be forwarded thru this firewall....This
> Machine Stands as a gateway for 6 machines....(Only One Interface)
Uhm, you definitely want those private networks to have a NIC on their
own.

(BTW, are this 6 machines or 6 networks with more than 6 machines? You
mentioned both...)

> How Do i Do this......
> 
> ACCEPT    net:192.168.0.1/24    fw   
> ACCEPT    net:192.168.1.1/24    fw    
> ACCEPT    net:192.168.2.1/24    fw    
> ACCEPT    net:192.168.3.1/24    fw    
> ACCEPT    net:192.168.4.1/24    fw    
> ACCEPT    net:192.168.5.1/24    fw    
> 
> Are the above rules correct (or) Any Other Method
Nope. The above will not "forward" anything. Those rules simply mean,
that those networks can access services on your firewall.

Sounds like you want masquerading anyway. So add another NIC to your
firewall, and masq those networks.

> 3. Redirect all the port 80 traffic of the above 6 pools shud be
> redirected to the local machine running squid (port 3128)
Please see the ''rules'' file and the very(!) fine documentation
on
shorewall.net for the REDIRECT rule. Searching the archives for Squid
might be helpful as well.

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

Karsten Bräckelmann wrote:
> 
>>2. Allow 6 Pool of Ip''s to be forwarded thru this
firewall....This
>>Machine Stands as a gateway for 6 machines....(Only One Interface)
> 
> 
> Uhm, you definitely want those private networks to have a NIC on their
> own.
> 
There is a "One-armed Router" configuration described at
http://www.shorewall.net/Multiple_Zones.html#OneArmed; it is NOT A
FIREWALL though. As Karsten says, you can''t provide a firewall unless
the firewall system is physically between the trusted and untrusted
networks.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key